Validate objects in GroupObjectPermissionViewSet

closes #8500
pulp · Jul 19, 2021 · f4e5751 · f4e5751
1 parent 270c4bf
commit f4e5751
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 10 deletions.
diff --git a/CHANGES/8500.bugfix b/CHANGES/8500.bugfix
@@ -0,0 +1,2 @@
+Fixed an internal server error that was raised when a user provided invalid parameters while
+assigning new permissions to an object.
diff --git a/pulpcore/app/viewsets/base.py b/pulpcore/app/viewsets/base.py
@@ -138,7 +138,7 @@ def get_serializer_class(self):
         return self.serializer_class
 
     @staticmethod
-    def get_resource(uri, model):
+    def get_resource(uri, model=None):
         """
         Resolve a resource URI to an instance of the resource.
 
@@ -147,7 +147,8 @@ def get_resource(uri, model):
 
         Args:
             uri (str): A resource URI.
-            model (django.models.Model): A model class.
+            model (django.models.Model): A model class. If not provided, the method automatically
+                determines the used model from the resource URI.
 
         Returns:
             django.models.Model: The resource fetched from the DB.
@@ -168,6 +169,10 @@ def get_resource(uri, model):
                     kwargs["{}__pk".format(key[:-3])] = value
                 else:
                     kwargs[key] = value
+
+        if model is None:
+            model = match.func.cls.queryset.model
+
         try:
             return model.objects.get(**kwargs)
         except model.MultipleObjectsReturned:

diff --git a/pulpcore/app/viewsets/user.py b/pulpcore/app/viewsets/user.py
@@ -1,9 +1,9 @@
 from gettext import gettext as _
-import uuid
 
 from django.contrib.auth import get_user_model
 from django.contrib.auth.models import Group, Permission
 from django.core.exceptions import FieldError
+from django.db import IntegrityError
 from django.shortcuts import get_object_or_404
 from django_filters.rest_framework import DjangoFilterBackend
 from drf_spectacular.utils import extend_schema
@@ -265,17 +265,18 @@ class GroupObjectPermissionViewSet(NamedModelViewSet):
     pulp_model_alias = "ObjectPermission"
 
     def get_object_pk(self, request):
-        """Get object pk."""
+        """Return an object's pk from the request."""
 
         if "obj" not in request.data:
             raise ValidationError(_("Please provide 'obj' value"))
+
+        obj_url = request.data["obj"]
         try:
-            obj_pk = request.data["obj"].strip("/").split("/")[-1]
-            uuid.UUID(obj_pk)
-        except (AttributeError, ValueError):
-            raise ValidationError(_("Invalid value for 'obj': {obj}").format(request.data["obj"]))
+            obj = NamedModelViewSet.get_resource(obj_url)
+        except ValidationError:
+            raise ValidationError(_("Invalid value for 'obj': {}.").format(obj_url))
 
-        return obj_pk
+        return obj.pk
 
     def get_model_permission(self, request):
         """Get model permission"""
@@ -338,7 +339,12 @@ def create(self, request, group_pk):
             content_type_id=permission.content_type_id,
             object_pk=object_pk,
         )
-        object_permission.save()
+
+        try:
+            object_permission.save()
+        except IntegrityError:
+            raise ValidationError(_("The assigned permission already exists."))
+
         serializer = PermissionSerializer(
             object_permission, context={"group_pk": group_pk, "request": request}
         )