api: raise bad request when ?full=on is given to global forms API (#53944)

2021-05-11 20:33:05 +02:00 · 2021-05-11 20:33:05 +02:00 · 7255de9d3e
parent a80a9e4f5e
commit 7255de9d3e
2 changed files with 5 additions and 1 deletions
--- a/tests/api/test_formdata.py
+++ b/tests/api/test_formdata.py
@ -1200,6 +1200,7 @@ def test_api_global_listing(pub, local_user, user, auth):
    # check error handling
    get_url('/api/forms/?status=done&limit=plop', status=400)
    get_url('/api/forms/?status=done&offset=plop', status=400)
+    get_url('/api/forms/?full=on', status=400)

    # check when there are missing statuses
    for formdata in data_class.select():
--- a/wcs/api.py
+++ b/wcs/api.py
@ -25,7 +25,7 @@ from django.http import HttpResponse, HttpResponseBadRequest, JsonResponse
 from django.utils.encoding import force_text
 from quixote import get_publisher, get_request, get_response, get_session
 from quixote.directory import Directory
-from quixote.errors import MethodNotAllowedError
+from quixote.errors import MethodNotAllowedError, RequestError

 import wcs.qommon.storage as st
 from wcs.admin.settings import UserFieldsFormDef
@ -388,6 +388,9 @@ class ApiFormsDirectory(Directory):
        self.check_access()
        get_request()._user = get_user_from_api_query_string() or get_request().user

+        if get_request().form.get('full') == 'on':
+            raise RequestError('no such parameter "full"')
+
        if FormDef.count() == 0:
            # early return, this avoids running a query against a missing SQL view.
            get_response().set_content_type('application/json')