lingo: validate service_options in forms (#41439)

combo/apps/lingo/models.py

@@ -35,7 +35,7 @@ from django.utils.translation import ugettext_lazy as _
 from django.utils import timezone, dateparse, six
 from django.core.mail import EmailMultiAlternatives
 from django.urls import reverse
-from django.core.exceptions import ObjectDoesNotExist, PermissionDenied
+from django.core.exceptions import ObjectDoesNotExist, PermissionDenied, ValidationError
 from django.utils.encoding import python_2_unicode_compatible
 from django.utils.formats import localize
 from django.utils.http import urlencode
@@ -89,6 +89,11 @@ def build_remote_item(data, regie):
                       no_online_payment_reason=data.get('no_online_payment_reason'))
 
 
+def validate_dict(value):
+    if not isinstance(value, dict):
+        raise ValidationError(_('Value must be a JSON object'))
+
+
 @python_2_unicode_compatible
 class PaymentBackend(models.Model):
     label = models.CharField(verbose_name=_('Label'), max_length=64)
@@ -97,7 +102,10 @@ class PaymentBackend(models.Model):
         help_text=_('The identifier is used in webservice calls.'))
     service = models.CharField(
         verbose_name=_('Payment Service'), max_length=64, choices=SERVICES)
-    service_options = JSONField(blank=True, verbose_name=_('Payment Service Options'))
+    service_options = JSONField(
+        blank=True,
+        verbose_name=_('Payment Service Options'),
+        validators=[validate_dict])
 
     def __str__(self):
         return self.label

tests/test_lingo_manager.py

@@ -618,6 +618,47 @@ def test_add_payment_backend(app, admin_user):
     assert resp.location.endswith('/manage/lingo/paymentbackends/')
 
 
+def test_add_payment_backend_validate_options(app, admin_user):
+    app = login(app)
+    resp = app.get('/manage/lingo/paymentbackends/add/', status=200)
+    assert '/manage/lingo/paymentbackends/' in resp.text
+
+    resp.forms[0]['label'] = 'Test'
+    resp.forms[0]['slug'] = 'test-add'
+    resp.forms[0]['service'] = 'dummy'
+    resp.forms[0]['service_options'] = 'xx'
+    resp2 = resp.forms[0].submit()
+    assert not PaymentBackend.objects.count()
+
+    resp.forms[0]['service_options'] = '"xx"'
+    resp2 = resp.forms[0].submit()
+    assert not PaymentBackend.objects.count()
+
+    resp.forms[0]['service_options'] = '[1]'
+    resp2 = resp.forms[0].submit()
+    assert not PaymentBackend.objects.count()
+
+    resp.forms[0]['service_options'] = '{"a": 1}'
+    resp2 = resp.forms[0].submit()
+    assert PaymentBackend.objects.count()
+    assert PaymentBackend.objects.get().service_options == {'a': 1}
+
+
+@pytest.mark.xfail
+def test_jsonfield_null_bug(app, admin_user):
+    app = login(app)
+    resp = app.get('/manage/lingo/paymentbackends/add/', status=200)
+    assert '/manage/lingo/paymentbackends/' in resp.text
+
+    resp.forms[0]['label'] = 'Test'
+    resp.forms[0]['slug'] = 'test-add'
+    resp.forms[0]['service'] = 'dummy'
+    resp.forms[0]['service_options'] = 'null'
+    resp2 = resp.forms[0].submit()
+    assert PaymentBackend.objects.count()
+    assert PaymentBackend.objects.get().service_options == {'a': 1}
+
+
 def test_edit_payment_backend(app, admin_user):
     payment_backend = PaymentBackend.objects.create(label='label1', slug='slug1')
     app = login(app)
@@ -633,3 +674,9 @@ def test_edit_payment_backend(app, admin_user):
     assert resp.location.endswith('/manage/lingo/paymentbackends/')
     payment_backend = PaymentBackend.objects.get(slug='slug1')
     assert payment_backend.label == 'label1-modified'
+
+
+def test_use_old_service_options_safely(app, admin_user):
+    PaymentBackend(service='dummy', service_options='xx').get_payment()
+    PaymentBackend(service='dummy', service_options='"xx"').get_payment()
+    PaymentBackend(service='dummy', service_options=None).get_payment()