misc: check category_id from query string is an integer (#46770)

2020-09-22 15:06:57 +02:00 · 2020-09-22 15:06:57 +02:00 · 784670ed10
parent eff8a6cb48
commit 784670ed10
2 changed files with 3 additions and 2 deletions
--- a/tests/test_api.py
+++ b/tests/test_api.py
@ -2402,6 +2402,7 @@ def test_api_global_listing(pub, local_user):
    # check error handling
    get_app(pub).get(sign_uri('/api/forms/?status=done&limit=plop', user=local_user), status=400)
    get_app(pub).get(sign_uri('/api/forms/?status=done&offset=plop', user=local_user), status=400)
+    get_app(pub).get(sign_uri('/api/forms/?category_id=plop', user=local_user), status=400)

    # check when there are missing statuses
    for formdata in data_class.select():
--- a/wcs/backoffice/management.py
+++ b/wcs/backoffice/management.py
@ -832,8 +832,8 @@ class ManagementDirectory(Directory):
                criterias.append(Equal('submission_channel',
                    get_request().form.get('submission_channel')))
        if get_request().form.get('category_id'):
-            criterias.append(Equal('category_id',
-                get_request().form.get('category_id')))
+            category_id = misc.get_int_or_400(get_request().form.get('category_id'))
+            criterias.append(Equal('category_id', category_id))
        if get_request().form.get('q'):
            criterias.append(FtsMatch(get_request().form.get('q')))
        return criterias