api: raise error if known body parameter is in query (#54216)

chrono/api/views.py

@@ -975,6 +975,17 @@ class Fillslots(APIView):
             except (ValueError, Agenda.DoesNotExist):
                 raise Http404()
 
+        known_body_params = set(request.query_params).intersection(
+            {'label', 'user_name', 'backoffice_url', 'user_display_label'}
+        )
+        if known_body_params:
+            params = ', '.join(sorted(list(known_body_params)))
+            raise APIError(
+                _('parameters "%s" must be included in request body, not query') % params,
+                err_class='parameters "%s" must be included in request body, not query' % params,
+                http_status=status.HTTP_400_BAD_REQUEST,
+            )
+
         serializer = self.serializer_class(data=request.data, partial=True)
         if not serializer.is_valid():
             raise APIError(

tests/test_api.py

@@ -1342,6 +1342,21 @@ def test_booking_api(app, some_data, user):
     assert len(resp.json['errors']) == 1
     assert 'user_last_name' in resp.json['errors']
 
+    # test parameters wrongly passed in query are refused
+    resp = app.post_json(
+        '/api/agenda/%s/fillslot/%s/?backoffice_url=https://example.com&label=test' % (agenda.id, event.id),
+        status=400,
+    )
+    assert resp.json['err'] == 1
+    assert (
+        resp.json['err_class']
+        == 'parameters "backoffice_url, label" must be included in request body, not query'
+    )
+    assert (
+        resp.json['err_desc']
+        == 'parameters "backoffice_url, label" must be included in request body, not query'
+    )
+
     resp = app.post('/api/agenda/foobar/fillslot/%s/' % event.id, status=404)
 
     resp = app.post('/api/agenda/0/fillslot/%s/' % event.id, status=404)