api: raise error if known body parameter is in query (#54216)
This commit is contained in:
parent
30390a1f6c
commit
8da8fd1396
|
@ -975,6 +975,17 @@ class Fillslots(APIView):
|
|||
except (ValueError, Agenda.DoesNotExist):
|
||||
raise Http404()
|
||||
|
||||
known_body_params = set(request.query_params).intersection(
|
||||
{'label', 'user_name', 'backoffice_url', 'user_display_label'}
|
||||
)
|
||||
if known_body_params:
|
||||
params = ', '.join(sorted(list(known_body_params)))
|
||||
raise APIError(
|
||||
_('parameters "%s" must be included in request body, not query') % params,
|
||||
err_class='parameters "%s" must be included in request body, not query' % params,
|
||||
http_status=status.HTTP_400_BAD_REQUEST,
|
||||
)
|
||||
|
||||
serializer = self.serializer_class(data=request.data, partial=True)
|
||||
if not serializer.is_valid():
|
||||
raise APIError(
|
||||
|
|
|
@ -1342,6 +1342,21 @@ def test_booking_api(app, some_data, user):
|
|||
assert len(resp.json['errors']) == 1
|
||||
assert 'user_last_name' in resp.json['errors']
|
||||
|
||||
# test parameters wrongly passed in query are refused
|
||||
resp = app.post_json(
|
||||
'/api/agenda/%s/fillslot/%s/?backoffice_url=https://example.com&label=test' % (agenda.id, event.id),
|
||||
status=400,
|
||||
)
|
||||
assert resp.json['err'] == 1
|
||||
assert (
|
||||
resp.json['err_class']
|
||||
== 'parameters "backoffice_url, label" must be included in request body, not query'
|
||||
)
|
||||
assert (
|
||||
resp.json['err_desc']
|
||||
== 'parameters "backoffice_url, label" must be included in request body, not query'
|
||||
)
|
||||
|
||||
resp = app.post('/api/agenda/foobar/fillslot/%s/' % event.id, status=404)
|
||||
|
||||
resp = app.post('/api/agenda/0/fillslot/%s/' % event.id, status=404)
|
||||
|
|
Loading…
Reference in New Issue