search: return 404 if cell does not exist (#49876)

combo/apps/search/models.py

@@ -24,6 +24,7 @@ from django.http import HttpResponse
 from django.core.exceptions import PermissionDenied
 from django.utils.functional import cached_property
 from django.utils.http import quote
+from django.shortcuts import get_object_or_404
 from django.template import RequestContext, Template
 
 from jsonfield import JSONField
@@ -172,7 +173,7 @@ class SearchCell(CellBase):
 
     @classmethod
     def ajax_results_view(cls, request, cell_pk, service_slug):
-        cell = cls.objects.get(pk=cell_pk)
+        cell = get_object_or_404(cls, pk=cell_pk)
         if not cell.is_visible(user=request.user) or not cell.page.is_visible(request.user):
             raise PermissionDenied
 

tests/test_search.py

@@ -57,15 +57,18 @@ class SearchServices(object):
 
 
 def test_search_cell(app):
+    page = Page(title='Search', slug='search_page', template_name='standard')
+    page.save()
+
+    cell = SearchCell(page=page, placeholder='content', order=0)
+    cell._search_services = {'data': ['search1']}
+    cell.input_placeholder = 'my placeholder'
+    cell.save()
+
+    # unknown cell pk
+    resp = app.get('/ajax/search/0/search1/?q=foo', status=404)
+
     with SearchServices(SEARCH_SERVICES):
-        page = Page(title='Search', slug='search_page', template_name='standard')
-        page.save()
-
-        cell = SearchCell(page=page, placeholder='content', order=0)
-        cell._search_services = {'data': ['search1']}
-        cell.input_placeholder = 'my placeholder'
-        cell.save()
-
         resp = cell.render({})
         assert 'input' in resp
         assert 'id="combo-search-input-%s"' % cell.pk in resp