From b9a2848a2699f06c3b1db0bf8c45111f3f93dd60 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20P=C3=A9ters?= <fpeters@entrouvert.com>
Date: Thu, 7 Feb 2019 13:35:52 +0100
Subject: [PATCH] api: make sure event status API only accepts numbers (#30459)

---
 chrono/api/urls.py | 2 +-
 tests/test_api.py  | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/chrono/api/urls.py b/chrono/api/urls.py
index a7b88b90..d595d41d 100644
--- a/chrono/api/urls.py
+++ b/chrono/api/urls.py
@@ -27,7 +27,7 @@ urlpatterns = [
         views.fillslot, name='api-fillslot'),
     url(r'agenda/(?P<agenda_identifier>[\w-]+)/fillslots/$',
         views.fillslots, name='api-agenda-fillslots'),
-    url(r'agenda/(?P<agenda_identifier>[\w-]+)/status/(?P<event_pk>\w+)/$', views.slot_status,
+    url(r'agenda/(?P<agenda_identifier>[\w-]+)/status/(?P<event_pk>\d+)/$', views.slot_status,
         name='api-event-status'),
 
     url(r'agenda/meetings/(?P<meeting_identifier>[\w-]+)/datetimes/$',
diff --git a/tests/test_api.py b/tests/test_api.py
index 85ebac17..e910df48 100644
--- a/tests/test_api.py
+++ b/tests/test_api.py
@@ -797,6 +797,7 @@ def test_status(app, some_data, user):
 
     app.authorization = ('Basic', ('john.doe', 'password'))
     resp = app.get('/api/agenda/%s/status/%s/' % (agenda_id, 9999), status=404)
+    resp = app.get('/api/agenda/%s/status/%s/' % (agenda_id, 'xx'), status=404)
 
     resp = app.get('/api/agenda/%s/status/%s/' % (agenda_id, event.id))
     assert resp.json['err'] == 0