From 61e0c590b8b2f1e18d1a665fb6290472fcb5eeae Mon Sep 17 00:00:00 2001
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Mon, 19 Aug 2019 15:34:03 +0200
Subject: [PATCH] api: returns 400 on invalid fillslot's event_pk (#35451)

---
 chrono/api/views.py | 8 +++++++-
 tests/test_api.py   | 6 ++++++
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/chrono/api/views.py b/chrono/api/views.py
index 04c78100..5d4766fb 100644
--- a/chrono/api/views.py
+++ b/chrono/api/views.py
@@ -423,7 +423,13 @@ class Fillslots(APIView):
             meeting_type_id = slots[0].split(':')[0]
             datetimes = set()
             for slot in slots:
-                meeting_type_id_, datetime_str = slot.split(':')
+                try:
+                    meeting_type_id_, datetime_str = slot.split(':')
+                except ValueError:
+                    return Response({
+                        'err': 1,
+                        'reason': 'invalid slot: %s' % slot,
+                    }, status=status.HTTP_400_BAD_REQUEST)
                 if meeting_type_id_ != meeting_type_id:
                     return Response({
                         'err': 1,
diff --git a/tests/test_api.py b/tests/test_api.py
index 97b5599b..acf9bd07 100644
--- a/tests/test_api.py
+++ b/tests/test_api.py
@@ -561,6 +561,12 @@ def test_booking_api_meeting(app, meetings_agenda, user):
             ).path == '/api/agenda/%s/fillslot/%s/' % (meetings_agenda.slug, event_id)
 
     app.authorization = ('Basic', ('john.doe', 'password'))
+
+    # verify malformed event_pk returns a 400
+    resp_booking = app.post('/api/agenda/%s/fillslot/None/' % agenda_id, status=400)
+    assert resp_booking.json['err'] == 1
+
+    # make a booking
     resp_booking = app.post('/api/agenda/%s/fillslot/%s/' % (agenda_id, event_id))
     assert Booking.objects.count() == 1
     assert resp_booking.json['datetime'] == localtime(Booking.objects.all()[0].event.start_datetime