From 61d638ef835db15b6252b643b79e5ea62317aa6b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20P=C3=A9ters?= <fpeters@entrouvert.com>
Date: Fri, 19 Feb 2021 11:30:28 +0100
Subject: [PATCH] dashboard: return bad request on invalid key given to
 auto_tile (#51282)

---
 combo/apps/dashboard/views.py | 3 +++
 tests/test_dashboard.py       | 8 ++++++++
 2 files changed, 11 insertions(+)

diff --git a/combo/apps/dashboard/views.py b/combo/apps/dashboard/views.py
index f6e7a6d1..8caa6112 100644
--- a/combo/apps/dashboard/views.py
+++ b/combo/apps/dashboard/views.py
@@ -133,6 +133,9 @@ def dashboard_auto_tile(request, *args, **kwargs):
     dashboard = DashboardCell.objects.filter(page__snapshot__isnull=True)[0]
     cell = ConfigJsonCell(key=kwargs.get('key'), order=1, page_id=dashboard.page_id, placeholder='_auto_tile')
 
+    if cell.key not in settings.JSON_CELL_TYPES:
+        return HttpResponseBadRequest('bad request, invalid cell type: "%s"' % cell.key)
+
     # only keep parameters that are actually defined for this cell type.
     cell.parameters = {}
     for field in settings.JSON_CELL_TYPES[cell.key].get('form') or []:
diff --git a/tests/test_dashboard.py b/tests/test_dashboard.py
index f696b0eb..8a50899c 100644
--- a/tests/test_dashboard.py
+++ b/tests/test_dashboard.py
@@ -247,6 +247,14 @@ def test_auto_tile(app, site):
             )
             assert resp.text.strip() == '/var1=one/var2=/'
 
+            # with invalid cell key
+            resp = app.post(
+                reverse('combo-dashboard-auto-tile', kwargs={'key': 'missing'}),
+                params=json.dumps({'var1': 'one', 'var2': 'two'}),
+                content_type='application/json',
+                status=400,
+            )
+
             # with missing data
             resp = app.post(
                 reverse('combo-dashboard-auto-tile', kwargs={'key': 'test-config-json-cell'}),