misc: check value passed to |order_by is a string (#67856)

2022-08-02 14:05:49 +02:00 · 2022-08-02 14:05:49 +02:00 · 4ace5a41e3
parent 69ab751d32
commit 4ace5a41e3
2 changed files with 15 additions and 0 deletions
--- a/tests/test_formdata.py
+++ b/tests/test_formdata.py
@ -1096,8 +1096,17 @@ def test_lazy_formdata_queryset(pub, variable_test_data):

    # check ordering
    qs = lazy_formdata.objects.pending().order_by('id')
+    assert qs.count == 7
    assert [x.number for x in qs] == ['1-1', '1-2', '1-3', '1-4', '1-5', '1-6', '1-7']

+    # check ordering with invalid value
+    pub.loggederror_class.wipe()
+    qs = lazy_formdata.objects.pending().order_by(datetime.date(2022, 8, 2))
+    assert qs.count == 0
+    assert pub.loggederror_class.count() == 1
+    logged_error = pub.loggederror_class.select()[0]
+    assert logged_error.summary == 'Invalid value datetime.date(2022, 8, 2) for "order_by"'
+
    # Check accessing an non-numeric attribute doesn't try to cache things
    # (see code for explanation)
    manager = lazy_formdata.objects
--- a/wcs/variables.py
+++ b/wcs/variables.py
@ -69,6 +69,12 @@ class LazyFormDefObjectsManager:
        )

    def order_by(self, attribute):
+        if not isinstance(attribute, str):
+            get_publisher().record_error(
+                _('Invalid value %r for "order_by"') % attribute,
+                formdata=self._formdata,
+            )
+            return self.none()
        field = self.get_field(attribute)
        return self._clone(self._criterias, order_by=field or attribute)