gallery: return 404 if cell of image is not found (#58900)

combo/apps/gallery/views.py

@@ -14,7 +14,7 @@
 # You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-from django.shortcuts import redirect
+from django.shortcuts import get_object_or_404, redirect
 from django.urls import reverse
 from django.views.generic import CreateView, UpdateView
 
@@ -27,8 +27,12 @@ class ImageAddView(CreateView):
     template_name = 'combo/gallery_image_form.html'
     form_class = ImageAddForm
 
+    def dispatch(self, request, *args, **kwargs):
+        self.cell = get_object_or_404(GalleryCell, pk=kwargs['gallery_pk'])
+        return super().dispatch(request, *args, **kwargs)
+
     def form_valid(self, form):
-        form.instance.gallery_id = self.kwargs.get('gallery_pk')
+        form.instance.gallery = self.cell
         other_images = form.instance.gallery.image_set.all()
         if other_images:
             form.instance.order = max(x.order for x in other_images) + 1
@@ -38,7 +42,7 @@ class ImageAddView(CreateView):
 
     def get_success_url(self):
         return (
-            reverse('combo-manager-page-view', kwargs={'pk': self.object.gallery.page.id})
+            reverse('combo-manager-page-view', kwargs={'pk': self.object.gallery.page_id})
             + '#cell-'
             + self.object.gallery.get_reference()
         )
@@ -52,9 +56,12 @@ class ImageEditView(UpdateView):
     template_name = 'combo/gallery_image_form.html'
     form_class = ImageEditForm
 
+    def get_object(self, queryset=None):
+        return get_object_or_404(Image, pk=self.kwargs['pk'], gallery=self.kwargs['gallery_pk'])
+
     def get_success_url(self):
         return (
-            reverse('combo-manager-page-view', kwargs={'pk': self.object.gallery.page.id})
+            reverse('combo-manager-page-view', kwargs={'pk': self.object.gallery.page_id})
             + '#cell-'
             + self.object.gallery.get_reference()
         )
@@ -64,15 +71,15 @@ image_edit = ImageEditView.as_view()
 
 
 def image_delete(request, gallery_pk, pk):
-    gallery = GalleryCell.objects.get(id=gallery_pk)
-    Image.objects.get(id=pk).delete()
-    return redirect(reverse('combo-manager-page-view', kwargs={'pk': gallery.page.id}))
+    image = get_object_or_404(Image, pk=pk, gallery=gallery_pk)
+    image.delete()
+    return redirect(reverse('combo-manager-page-view', kwargs={'pk': image.gallery.page_id}))
 
 
 def image_order(request, gallery_pk):
-    gallery = GalleryCell.objects.get(id=gallery_pk)
+    gallery = get_object_or_404(GalleryCell, pk=gallery_pk)
     new_order = [int(x) for x in request.GET['new-order'].split(',')]
     for image in gallery.image_set.all():
         image.order = new_order.index(image.id) + 1
         image.save()
-    return redirect(reverse('combo-manager-page-view', kwargs={'pk': gallery.page.id}))
+    return redirect(reverse('combo-manager-page-view', kwargs={'pk': gallery.page_id}))

tests/test_gallery_cell.py

@@ -63,3 +63,19 @@ def test_adding_gallery_images(app, admin_user):
 
     resp = app.get('/%s/' % page.slug, status=200)
     assert 'pink' not in resp.text
+
+    # image does not exist
+    app.get(reverse('combo-gallery-image-edit', kwargs={'gallery_pk': cell.id, 'pk': 0}), status=404)
+    app.get(reverse('combo-gallery-image-delete', kwargs={'gallery_pk': cell.id, 'pk': 0}), status=404)
+
+    # cell does not exist
+    app.get(reverse('combo-gallery-image-add', kwargs={'gallery_pk': 0}), status=404)
+    app.get(
+        reverse('combo-gallery-image-edit', kwargs={'gallery_pk': 0, 'pk': cell.image_set.first().pk}),
+        status=404,
+    )
+    app.get(
+        reverse('combo-gallery-image-delete', kwargs={'gallery_pk': 0, 'pk': cell.image_set.first().pk}),
+        status=404,
+    )
+    app.get(reverse('combo-gallery-image-order', kwargs={'gallery_pk': 0}), status=404)