From 4ace5a41e33831b7dcccb630679bf5cde398598b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20P=C3=A9ters?= Date: Tue, 2 Aug 2022 14:05:49 +0200 Subject: [PATCH] misc: check value passed to |order_by is a string (#67856) --- tests/test_formdata.py | 9 +++++++++ wcs/variables.py | 6 ++++++ 2 files changed, 15 insertions(+) diff --git a/tests/test_formdata.py b/tests/test_formdata.py index 01b1ba7c5..0aaf1aed2 100644 --- a/tests/test_formdata.py +++ b/tests/test_formdata.py @@ -1096,8 +1096,17 @@ def test_lazy_formdata_queryset(pub, variable_test_data): # check ordering qs = lazy_formdata.objects.pending().order_by('id') + assert qs.count == 7 assert [x.number for x in qs] == ['1-1', '1-2', '1-3', '1-4', '1-5', '1-6', '1-7'] + # check ordering with invalid value + pub.loggederror_class.wipe() + qs = lazy_formdata.objects.pending().order_by(datetime.date(2022, 8, 2)) + assert qs.count == 0 + assert pub.loggederror_class.count() == 1 + logged_error = pub.loggederror_class.select()[0] + assert logged_error.summary == 'Invalid value datetime.date(2022, 8, 2) for "order_by"' + # Check accessing an non-numeric attribute doesn't try to cache things # (see code for explanation) manager = lazy_formdata.objects diff --git a/wcs/variables.py b/wcs/variables.py index 4877fc204..a34c636ce 100644 --- a/wcs/variables.py +++ b/wcs/variables.py @@ -69,6 +69,12 @@ class LazyFormDefObjectsManager: ) def order_by(self, attribute): + if not isinstance(attribute, str): + get_publisher().record_error( + _('Invalid value %r for "order_by"') % attribute, + formdata=self._formdata, + ) + return self.none() field = self.get_field(attribute) return self._clone(self._criterias, order_by=field or attribute)