Fix 500 when no JSON is provided on PATCH (fixes #477, #516)

mozilla-services · Oct 29, 2015 · a45823e · a45823e
1 parent ccbe6f1
commit a45823e
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 3 deletions.
diff --git a/cliquet/resource/__init__.py b/cliquet/resource/__init__.py
@@ -408,7 +408,17 @@ def patch(self):
         old_record = self._get_record_or_404(self.record_id)
         self._raise_412_if_modified(old_record)
 
-        changes = self.request.json.get('data', {})  # May patch only perms.
+        try:
+            # data may not be present if only perms are patched.
+            changes = self.request.json.get('data', {})
+        except ValueError:
+            # XXX: This could be handled in Colander schema (c.f. Viewset)
+            # once hacks in Cornice about schemas will be removed.
+            error_details = {
+                'name': 'data',
+                'description': 'Provide at least one of data or permissions',
+            }
+            raise_invalid(self.request, **error_details)
 
         updated = self.apply_changes(old_record, changes=changes)
 

diff --git a/cliquet/resource/viewset.py b/cliquet/resource/viewset.py
@@ -179,6 +179,11 @@ def get_record_schema(self, resource_cls, method):
                                              permissions=allowed_permissions,
                                              name='permissions')
         schema.add(permissions_node)
+
+        # XXX: If Cornice wouldn't recreate the schema on the fly.
+        # We could make sure using a validator that at least one of `data` or
+        # `permissions` is provided.
+
         return schema
 
     def get_view_arguments(self, endpoint_type, resource_cls, method):

diff --git a/cliquet/tests/resource/test_views.py b/cliquet/tests/resource/test_views.py
@@ -489,9 +489,19 @@ def test_modify_with_invalid_uft8_returns_400(self):
                               status=400)
         self.assertIn('escape sequence', resp.json['message'])
 
-    def test_modify_with_empty_returns_400(self):
+    def test_modify_with_empty_body_returns_400(self):
         self.app.patch(self.get_item_url(),
-                       '',
+                       headers=self.headers,
+                       status=400)
+
+    def test_modify_protected_with_empty_body_returns_400(self):
+        body = {'data': MINIMALIST_RECORD}
+        resp = self.app.post_json('/toadstools',
+                                  body,
+                                  headers=self.headers)
+        record = resp.json['data']
+        item_url = '/toadstools/' + record['id']
+        self.app.patch(item_url,
                        headers=self.headers,
                        status=400)