Skip to content

Commit

Permalink
API v2: disallow empty strings as filters (#11832)
Browse files Browse the repository at this point in the history
  • Loading branch information
stsewd authored Dec 9, 2024
1 parent f562a0a commit 8f583e3
Show file tree
Hide file tree
Showing 2 changed files with 27 additions and 6 deletions.
14 changes: 8 additions & 6 deletions readthedocs/api/v2/views/model_views.py
Original file line number Diff line number Diff line change
Expand Up @@ -95,15 +95,17 @@ def list(self, *args, **kwargs):

disabled = True

# DRF strips whitespaces from query params, and if the final string is empty
# the filter is ignored. So we do the same to check if the filter is going to be used or not.
project_slug = self.request.GET.get("project__slug", "").strip()
commit = self.request.GET.get("commit", "").strip()
slug = self.request.GET.get("slug", "").strip()
# NOTE: keep list endpoint that specifies a resource
if any(
[
self.basename == "version" and "project__slug" in self.request.GET,
self.basename == "build"
and (
"commit" in self.request.GET or "project__slug" in self.request.GET
),
self.basename == "project" and "slug" in self.request.GET,
self.basename == "version" and project_slug,
self.basename == "build" and (commit or project_slug),
self.basename == "project" and slug,
]
):
disabled = False
Expand Down
19 changes: 19 additions & 0 deletions readthedocs/rtd_tests/tests/test_api.py
Original file line number Diff line number Diff line change
Expand Up @@ -3333,6 +3333,25 @@ def test_get_active_versions(self):
self.assertEqual(resp.status_code, 200)
self.assertEqual(resp.data["count"], pip.versions.filter(active=False).count())

def test_listing_of_versions_without_filtering_by_a_project(self):
url = reverse("version-list")
resp = self.client.get(url)
self.assertEqual(resp.status_code, 410)

data = {
"active": "true",
}
resp = self.client.get(url, data)
self.assertEqual(resp.status_code, 410)

data["project__slug"] = ""
resp = self.client.get(url, data)
self.assertEqual(resp.status_code, 410)

data["project__slug"] = " \n"
resp = self.client.get(url, data)
self.assertEqual(resp.status_code, 410)

def test_project_get_active_versions(self):
pip = Project.objects.get(slug="pip")
url = reverse("project-active-versions", args=[pip.pk])
Expand Down

0 comments on commit 8f583e3

Please sign in to comment.