Ensure unkown subject or recipient raises 400 instead of 500 (#784)

opendatateam · Feb 20, 2017 · 909d984 · 909d984
1 parent 51c7b35
commit 909d984
Show file tree

Hide file tree

Showing 3 changed files with 59 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -13,6 +13,8 @@
 - Raise maximum tag length to 96 in order to at least support
   [official INSPIRE tags](http://inspire.ec.europa.eu/theme)
   [#782](https://github.com/opendatateam/udata/pull/782)
+- Properly raise 400 error on transfer API in case of bad subject or recipient
+  [#784](https://github.com/opendatateam/udata/pull/784)
 
 ## 1.0.1 (2017-02-16)
 

diff --git a/udata/features/transfer/api.py b/udata/features/transfer/api.py
@@ -95,11 +95,19 @@ def post(self):
 
         subject_model = db.resolve_model(data['subject'])
         subject_id = data['subject']['id']
-        subject = subject_model.objects.get(id=subject_id)
+        try:
+            subject = subject_model.objects.get(id=subject_id)
+        except subject_model.DoesNotExist:
+            msg = 'Unkown subject id "{0}"'.format(subject_id)
+            ns.abort(400, errors={'subject': msg})
 
         recipient_model = db.resolve_model(data['recipient'])
         recipient_id = data['recipient']['id']
-        recipient = recipient_model.objects.get(id=recipient_id)
+        try:
+            recipient = recipient_model.objects.get(id=recipient_id)
+        except recipient_model.DoesNotExist:
+            msg = 'Unkown recipient id "{0}"'.format(recipient_id)
+            ns.abort(400, errors={'recipient': msg})
 
         comment = data.get('comment')
 

diff --git a/udata/tests/api/test_transfer_api.py b/udata/tests/api/test_transfer_api.py
@@ -1,6 +1,7 @@
 # -*- coding: utf-8 -*-
 from __future__ import unicode_literals
 
+from bson import ObjectId
 from mock import patch
 
 from flask import url_for
@@ -57,3 +58,49 @@ def test_request_dataset_transfer(self, action):
 
         self.assertEqual(data['comment'], comment)
         self.assertEqual(data['status'], 'pending')
+
+    def test_400_on_bad_subject(self):
+        user = self.login()
+        recipient = UserFactory()
+        comment = faker.sentence()
+
+        response = self.post(url_for('api.transfers'), {
+            'subject': {
+                'class': 'Dataset',
+                'id': str(ObjectId()),
+            },
+            'recipient': {
+                'class': 'User',
+                'id': str(recipient.id),
+            },
+            'comment': comment
+        })
+
+        self.assert400(response)
+
+        data = response.json
+
+        self.assertIn('subject', data['errors'])
+
+    def test_400_on_bad_recipient(self):
+        user = self.login()
+        dataset = DatasetFactory(owner=user)
+        comment = faker.sentence()
+
+        response = self.post(url_for('api.transfers'), {
+            'subject': {
+                'class': 'Dataset',
+                'id': str(dataset.id),
+            },
+            'recipient': {
+                'class': 'User',
+                'id': str(ObjectId()),
+            },
+            'comment': comment
+        })
+
+        self.assert400(response)
+
+        data = response.json
+
+        self.assertIn('recipient', data['errors'])