api: forbid exclude_user parameter in events fillslots (#69867)

chrono/api/serializers.py

@@ -118,6 +118,8 @@ class EventsFillSlotsSerializer(FillSlotSerializer):
             raise serializers.ValidationError({'slots': _('This field is required.')})
         if not attrs.get('user_external_id'):
             raise serializers.ValidationError({'user_external_id': _('This field is required.')})
+        if 'exclude_user' in attrs:
+            raise serializers.ValidationError({'exclude_user': _('This parameter is not supported.')})
         return attrs
 
 

tests/api/fillslot/test_events.py

@@ -516,3 +516,19 @@ def test_api_events_fillslots_overlapping_events(app, user, freezer):
 
     resp = app.post_json(fillslots_url, params={**params, 'slots': 'event-12-14,event-13-15'})
     assert resp.json['booking_count'] == 2
+
+
+@pytest.mark.freeze_time('2021-09-06 12:00')
+def test_api_events_fillslots_exclude_user_forbidden(app, user):
+    events_type = EventsType.objects.create(label='Foo')
+    agenda = Agenda.objects.create(label='Foo bar', kind='events', events_type=events_type)
+    Event.objects.create(
+        label='Event', start_datetime=now() + datetime.timedelta(days=1), places=2, agenda=agenda
+    )
+
+    app.authorization = ('Basic', ('john.doe', 'password'))
+    fillslots_url = '/api/agenda/%s/events/fillslots/' % agenda.slug
+    params = {'user_external_id': 'user_id', 'slots': 'xxx', 'exclude_user': True}
+    resp = app.post_json(fillslots_url, params=params, status=400)
+    assert resp.json['err'] == 1
+    assert resp.json['errors']['exclude_user'][0] == 'This parameter is not supported.'