api: handle wrong payload types in role memberships direct definition (#36727)

2019-10-07 10:39:31 +02:00 · 2019-10-07 10:39:31 +02:00 · 9e0b32b71d
parent 5adef18631
commit 9e0b32b71d
2 changed files with 30 additions and 3 deletions
--- a/src/authentic2/api_views.py
+++ b/src/authentic2/api_views.py
@ -781,10 +781,15 @@ class RoleMembershipsAPI(ExceptionHandlerMixin, APIView):

        for entry in request.data.get('data', ()):
            try:
-                self.members.append(User.objects.get(uuid=entry['uuid']))
+                uuid = entry['uuid']
+            except TypeError:
+                raise ValidationError(_("List elements of the 'data' dict "
+                        "entry must be dictionaries"))
            except KeyError:
                raise ValidationError(_("Missing 'uuid' key for dict entry %s "
                        "of the 'data' payload") % entry)
+            try:
+                self.members.append(User.objects.get(uuid=uuid))
            except User.DoesNotExist:
                raise ValidationError(
                        _('No known user for UUID %s') % entry['uuid'])
--- a/tests/test_api.py
+++ b/tests/test_api.py
@ -801,7 +801,7 @@ def test_api_role_members_payload_missing(app, api_user, role):
            status=status)


-def test_api_role_members_wrong_payload_type(app, superuser, role_random, member_rando2):
+def test_api_role_members_wrong_payload_types(app, superuser, role_random, member_rando2):
    app.authorization = ('Basic', (superuser.username, superuser.username))

    payload = [{
@ -813,7 +813,29 @@ def test_api_role_members_wrong_payload_type(app, superuser, role_random, member
            params=payload, status=400)

    assert resp.json['result'] == 0
-    assert resp.json['errors'][0] == 'Payload must be a dictionary'
+    assert resp.json['errors'] == ['Payload must be a dictionary']
+
+    payload = {
+        "data": [[member_rando2.uuid]]
+    }
+
+    resp = app.post_json(
+            '/api/roles/{}/relationships/members/'.format(role_random.uuid),
+            params=payload, status=400)
+
+    assert resp.json['result'] == 0
+    assert resp.json['errors'] == ["List elements of the 'data' dict entry must be dictionaries"]
+
+    payload = {
+        "data": [member_rando2.uuid]
+    }
+
+    resp = app.post_json(
+            '/api/roles/{}/relationships/members/'.format(role_random.uuid),
+            params=payload, status=400)
+
+    assert resp.json['result'] == 0
+    assert resp.json['errors'] == ["List elements of the 'data' dict entry must be dictionaries"]


 def test_register_no_email_validation(app, admin, django_user_model):