From 53651ec33e0473babbfd74fad4b382174e4f3b59 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Laur=C3=A9line=20Gu=C3=A9rin?= <zebuline@entrouvert.com>
Date: Tue, 5 Jan 2021 11:02:01 +0100
Subject: [PATCH] search: return 404 if cell does not exist (#49876)

---
 combo/apps/search/models.py |  3 ++-
 tests/test_search.py        | 19 +++++++++++--------
 2 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/combo/apps/search/models.py b/combo/apps/search/models.py
index 7ea54b66..87c79673 100644
--- a/combo/apps/search/models.py
+++ b/combo/apps/search/models.py
@@ -24,6 +24,7 @@ from django.http import HttpResponse
 from django.core.exceptions import PermissionDenied
 from django.utils.functional import cached_property
 from django.utils.http import quote
+from django.shortcuts import get_object_or_404
 from django.template import RequestContext, Template
 
 from jsonfield import JSONField
@@ -172,7 +173,7 @@ class SearchCell(CellBase):
 
     @classmethod
     def ajax_results_view(cls, request, cell_pk, service_slug):
-        cell = cls.objects.get(pk=cell_pk)
+        cell = get_object_or_404(cls, pk=cell_pk)
         if not cell.is_visible(user=request.user) or not cell.page.is_visible(request.user):
             raise PermissionDenied
 
diff --git a/tests/test_search.py b/tests/test_search.py
index 06ac05f4..56e52fc1 100644
--- a/tests/test_search.py
+++ b/tests/test_search.py
@@ -57,15 +57,18 @@ class SearchServices(object):
 
 
 def test_search_cell(app):
+    page = Page(title='Search', slug='search_page', template_name='standard')
+    page.save()
+
+    cell = SearchCell(page=page, placeholder='content', order=0)
+    cell._search_services = {'data': ['search1']}
+    cell.input_placeholder = 'my placeholder'
+    cell.save()
+
+    # unknown cell pk
+    resp = app.get('/ajax/search/0/search1/?q=foo', status=404)
+
     with SearchServices(SEARCH_SERVICES):
-        page = Page(title='Search', slug='search_page', template_name='standard')
-        page.save()
-
-        cell = SearchCell(page=page, placeholder='content', order=0)
-        cell._search_services = {'data': ['search1']}
-        cell.input_placeholder = 'my placeholder'
-        cell.save()
-
         resp = cell.render({})
         assert 'input' in resp
         assert 'id="combo-search-input-%s"' % cell.pk in resp