Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Sanity checks against input for ticket search

Currently input parameters within the ticket search view are not
validated, thus (manually) altering the parameters in the query string
issues a 500. This patch attempts to solve this problem, reverting to
the default query when the situation can't be recovered.
  • Loading branch information...
commit 119b951086dcb713d4f68d8ac48248e5bc630cbd 1 parent 533fdc8
@kratorius kratorius authored
Showing with 25 additions and 8 deletions.
  1. +25 −8 helpdesk/views/staff.py
View
33 helpdesk/views/staff.py
@@ -15,6 +15,7 @@
from django.contrib.auth.decorators import login_required, user_passes_test
from django.core.files.base import ContentFile
from django.core.urlresolvers import reverse
+from django.core.exceptions import ValidationError
from django.core import paginator
from django.db import connection
from django.db.models import Q
@@ -609,18 +610,27 @@ def ticket_list(request):
else:
queues = request.GET.getlist('queue')
if queues:
- queues = [int(q) for q in queues]
- query_params['filtering']['queue__id__in'] = queues
+ try:
+ queues = [int(q) for q in queues]
+ query_params['filtering']['queue__id__in'] = queues
+ except ValueError:
+ pass
owners = request.GET.getlist('assigned_to')
if owners:
- owners = [int(u) for u in owners]
- query_params['filtering']['assigned_to__id__in'] = owners
+ try:
+ owners = [int(u) for u in owners]
+ query_params['filtering']['assigned_to__id__in'] = owners
+ except ValueError:
+ pass
statuses = request.GET.getlist('status')
if statuses:
- statuses = [int(s) for s in statuses]
- query_params['filtering']['status__in'] = statuses
+ try:
+ statuses = [int(s) for s in statuses]
+ query_params['filtering']['status__in'] = statuses
+ except ValueError:
+ pass
date_from = request.GET.get('date_from')
if date_from:
@@ -653,8 +663,15 @@ def ticket_list(request):
sortreverse = request.GET.get('sortreverse', None)
query_params['sortreverse'] = sortreverse
- ticket_qs = apply_query(Ticket.objects.select_related(), query_params)
- print >> sys.stderr, str(ticket_qs.query)
+ try:
+ ticket_qs = apply_query(Ticket.objects.select_related(), query_params)
+ except ValidationError:
+ # invalid parameters in query, return default query
+ query_params = {
+ 'filtering': {'status__in': [1, 2, 3]},
+ 'sorting': 'created',
+ }
+ ticket_qs = apply_query(Ticket.objects.select_related(), query_params)
## TAG MATCHING
if HAS_TAG_SUPPORT:
Please sign in to comment.
Something went wrong with that request. Please try again.