misc: limit api/menu-badges parameters to digits (#36387)

combo/public/views.py

@@ -524,7 +524,7 @@ def error404(request, *args, **kwargs):
 
 def menu_badges(request):
     context = {'request': request}
-    page_ids = request.GET.getlist('page[]')
+    page_ids = [x for x in request.GET.getlist('page[]') if x.isdigit()]
     cells = []
     for klass in CellBase.get_cell_classes(lambda x: bool(x.get_badge)):
         cells.extend(klass.objects.filter(page_id__in=page_ids))

tests/test_notification.py

@@ -17,6 +17,8 @@ from combo.data.models import Page
 from combo.apps.notifications.models import Notification, NotificationsCell
 from combo.apps.lingo.models import Regie, ActiveItems, PaymentBackend
 
+from .test_manager import login as login_app
+
 pytestmark = pytest.mark.django_db
 
 client = Client()
@@ -83,10 +85,11 @@ def test_notification_api(john_doe, jane_doe):
     assert notification.acked is True
 
 
-def test_notification_cell(john_doe, jane_doe):
+def test_notification_cell(app, john_doe, jane_doe):
     page = Page(title='notif', slug='test_notification_cell', template_name='standard')
     page.save()
     cell = NotificationsCell(page=page, placeholder='content', order=0)
+    cell.save()
 
     context = {'request': RequestFactory().get('/')}
     context['synchronous'] = True # to get fresh content
@@ -141,6 +144,10 @@ def test_notification_cell(john_doe, jane_doe):
     assert 'notiother' in content
     assert cell.get_badge(context) == {'badge': '1'}
 
+    app = login_app(app, username='jane.doe', password='jane.doe')
+    resp = app.get('/api/menu-badges/?page[]=%s' % page.id)
+    assert resp.json == {'1': {'badge': '1'}}
+
 
 def test_notification_ws(john_doe):