Add validation for allowed query paramters

zopefoundation · Apr 8, 2019 · e49942d · e49942d
1 parent dd30d44
commit e49942d
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 3 deletions.
diff --git a/src/Products/PluginIndexes/FieldIndex/tests.py b/src/Products/PluginIndexes/FieldIndex/tests.py
@@ -256,6 +256,13 @@ def testRange(self):
         self._checkApply(record, expect)
 
         # Make sure that range tests with incompatible paramters
-        # don't return empty sets.
+        # raise a RuntimeError
         record['foo']['operator'] = 'and'
-        self._checkApply(record, expect)
+        self.assertRaises(RuntimeError, self._checkApply, record, expect)
+
+        # alternative syntax of record
+        record = {'foo': [-99, 3],
+                  'foo_range': 'min:max',
+                  'foo_operator': 'and'}
+
+        self.assertRaises(RuntimeError, self._checkApply, record, expect)
diff --git a/src/Products/ZCatalog/query.py b/src/Products/ZCatalog/query.py
@@ -53,13 +53,17 @@ def __init__(self, request, iid, options=(), operators=('or', 'and'),
           default_operator -- the default operator
         """
 
+        self.request = request
         self.id = iid
         self.operators = operators
         self.operator = default_operator
+
         if iid not in request:
             self.keys = None
             return
 
+        self.options = options
+
         param = request[iid]
         keys = None
 
@@ -97,15 +101,41 @@ def __init__(self, request, iid, options=(), operators=('or', 'and'),
                 not_value = [not_value]
                 self.set('not', not_value)
 
+    @property
+    def options(self):
+        return self._options
+
+    @options.setter
+    def options(self, value):
+        iid = self.id
+        request = self.request
+        options = value
+        param = request[iid]
+
+        if isinstance(param, dict):
+            for op in param.keys():
+                if op == 'query':
+                    continue
+                if op not in options:
+                    raise RuntimeError('index %s: option %r is not valid' % (iid, op)) 
+        else:
+            for field in request.keys():
+                if field.startswith(iid + '_'):
+                    iid_tmp, op = field.split('_')
+                    if op not in options:
+                        raise RuntimeError('index %s: option %r is not valid' % (iid, op))
+        self._options = options
+
     @property
     def operator(self):
         return self._operator
 
     @operator.setter
     def operator(self, value):
+        iid = self.id
         value = value.lower()
         if value not in self.operators:
-            raise RuntimeError('operator not valid: %r' % value)
+            raise RuntimeError('index %s: operator %r is not valid' % (iid, value))
         self._operator = value.lower()
 
     def get(self, key, default_v=None):