Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Sanity checks against input for ticket search #108

Merged
merged 3 commits into from

3 participants

@kratorius

Currently input parameters within the ticket search view are not validated, thus (manually) altering the parameters in the query string issues a 500. This patch attempts to solve this problem, reverting to the default query when the situation can't be recovered.

@kratorius kratorius Sanity checks against input for ticket search
Currently input parameters within the ticket search view are not
validated, thus (manually) altering the parameters in the query string
issues a 500. This patch attempts to solve this problem, reverting to
the default query when the situation can't be recovered.
119b951
@vovkd

this pull request relates to my issue post #107

@kratorius kratorius apply_query shouldn't modify the parameters dictionary
Changing parameters in apply_query might yield an invalid state in later
code that assumes the query was not changed.
This patch avoids parameters modification and should fix the issue
reported in #109
b647250
@rossp rossp merged commit 230f94f into rossp:master
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Jan 17, 2012
  1. @kratorius

    Sanity checks against input for ticket search

    kratorius authored
    Currently input parameters within the ticket search view are not
    validated, thus (manually) altering the parameters in the query string
    issues a 500. This patch attempts to solve this problem, reverting to
    the default query when the situation can't be recovered.
Commits on Jan 18, 2012
  1. @kratorius

    apply_query shouldn't modify the parameters dictionary

    kratorius authored
    Changing parameters in apply_query might yield an invalid state in later
    code that assumes the query was not changed.
    This patch avoids parameters modification and should fix the issue
    reported in #109
  2. @kratorius
This page is out of date. Refresh to see the latest.
Showing with 31 additions and 12 deletions.
  1. +6 −4 helpdesk/lib.py
  2. +25 −8 helpdesk/views/staff.py
View
10 helpdesk/lib.py
@@ -173,10 +173,12 @@ def apply_query(queryset, params):
# eg a Q() set
queryset = queryset.filter(params['other_filter'])
- if params.get('sorting', None):
- if params.get('sortreverse', None):
- params['sorting'] = "-%s" % params['sorting']
- queryset = queryset.order_by(params['sorting'])
+ sorting = params.get('sorting', None)
+ if not sorting:
+ sortreverse = params.get('sortreverse', None)
+ if sortreverse:
+ sorting = "-%s" % sorting
+ queryset = queryset.order_by(sorting)
return queryset
View
33 helpdesk/views/staff.py
@@ -15,6 +15,7 @@
from django.contrib.auth.decorators import login_required, user_passes_test
from django.core.files.base import ContentFile
from django.core.urlresolvers import reverse
+from django.core.exceptions import ValidationError
from django.core import paginator
from django.db import connection
from django.db.models import Q
@@ -609,18 +610,27 @@ def ticket_list(request):
else:
queues = request.GET.getlist('queue')
if queues:
- queues = [int(q) for q in queues]
- query_params['filtering']['queue__id__in'] = queues
+ try:
+ queues = [int(q) for q in queues]
+ query_params['filtering']['queue__id__in'] = queues
+ except ValueError:
+ pass
owners = request.GET.getlist('assigned_to')
if owners:
- owners = [int(u) for u in owners]
- query_params['filtering']['assigned_to__id__in'] = owners
+ try:
+ owners = [int(u) for u in owners]
+ query_params['filtering']['assigned_to__id__in'] = owners
+ except ValueError:
+ pass
statuses = request.GET.getlist('status')
if statuses:
- statuses = [int(s) for s in statuses]
- query_params['filtering']['status__in'] = statuses
+ try:
+ statuses = [int(s) for s in statuses]
+ query_params['filtering']['status__in'] = statuses
+ except ValueError:
+ pass
date_from = request.GET.get('date_from')
if date_from:
@@ -653,8 +663,15 @@ def ticket_list(request):
sortreverse = request.GET.get('sortreverse', None)
query_params['sortreverse'] = sortreverse
- ticket_qs = apply_query(Ticket.objects.select_related(), query_params)
- print >> sys.stderr, str(ticket_qs.query)
+ try:
+ ticket_qs = apply_query(Ticket.objects.select_related(), query_params)
+ except ValidationError:
+ # invalid parameters in query, return default query
+ query_params = {
+ 'filtering': {'status__in': [1, 2, 3]},
+ 'sorting': 'created',
+ }
+ ticket_qs = apply_query(Ticket.objects.select_related(), query_params)
## TAG MATCHING
if HAS_TAG_SUPPORT:
Something went wrong with that request. Please try again.