Commit 5c4038b8 authored by Romain Courteaud's avatar Romain Courteaud Committed by Lu Xu

erp5_hal_json_style: forbid querying unknown catalog column

parent f47608de
......@@ -1727,6 +1727,19 @@ def calculateHateoas(is_portal=None, is_site_root=None, traversed_document=None,
byteify(
json.loads(urlsafe_b64decode(default_param_json)))))
if query:
# Forbid querying unknown catalog column
invalid_column_list = []
def isValidColumnOrRaise(column_id):
is_valid_column = sql_catalog.isValidColumn(column_id)
if not is_valid_column:
invalid_column_list.append(column_id)
return is_valid_column
sql_catalog.parseSearchText(query, search_key='FullTextKey', is_valid=isValidColumnOrRaise)
if invalid_column_list:
response.setStatus(400)
result_dict["_debug"] = 'Invalid column name: %s' % str(invalid_column_list)
return result_dict
catalog_kw["full_text"] = query
if selection_domain is not None:
......
......@@ -1432,6 +1432,34 @@ class TestERP5Document_getHateoas_mode_search(ERP5HALJSONStyleSkinsMixin):
# No count if not in the listbox context currently
self.assertEqual(result_dict['_embedded'].get('count', None), None)
@simulate('Base_getRequestUrl', '*args, **kwargs', 'return "http://example.org/bar"')
@simulate('Base_getRequestHeader', '*args, **kwargs', 'return "application/hal+json"')
@simulate('Test_listCatalog', '*args, **kwargs', "return []")
@changeSkin('Hal')
def test_getHateoas_query_param_reject_unknown_column(self, **kw):
"""Check that listbox line calculation modify the selection
"""
self.portal.foo_module.FooModule_viewFooList.listbox.ListBox_setPropertyList(
field_count_method = '')
selection_tool = self.portal.portal_selections
selection_name = self.portal.foo_module.FooModule_viewFooList.listbox.get_value('selection_name')
selection_tool.setSelectionFor(selection_name, Selection(selection_name))
# Create the listbox selection
fake_request = do_fake_request("GET")
result = self.portal.web_site_module.hateoas.ERP5Document_getHateoas(
REQUEST=fake_request,
mode="search",
query='bar:"foo"'
)
self.assertEquals(fake_request.RESPONSE.status, 400)
self.assertEquals(fake_request.RESPONSE.getHeader('Content-Type'),
"application/hal+json"
)
result_dict = json.loads(result)
self.assertEqual(result_dict['_debug'], "Invalid column name: ['bar', 'bar']")
@simulate('Base_getRequestUrl', '*args, **kwargs',
'return "http://example.org/bar"')
@simulate('Base_getRequestHeader', '*args, **kwargs',
......@@ -2231,7 +2259,7 @@ return context.getPortalObject().portal_catalog(portal_type='Foo', sort_on=[('id
REQUEST=fake_request,
mode="search",
local_roles=["Manager"],
query='bar:"foo"',
query='id:"foo"',
list_method='Test_listCatalog',
select_list=['title', 'uid'],
selection_domain=json.dumps({'foo_domain': 'a/a1', 'foo_category': 'a/a2'}),
......@@ -2250,7 +2278,7 @@ return context.getPortalObject().portal_catalog(portal_type='Foo', sort_on=[('id
self.assertEquals(
selection.getParams(), {
'local_roles': ['Manager'],
'full_text': 'bar:"foo"',
'full_text': 'id:"foo"',
'ignore_unknown_columns': True,
'portal_type': ['Foo'],
'limit': 1000
......
<?xml version="1.0"?>
<ZopeData>
<record id="1" aka="AAAAAAAAAAE=">
<pickle>
<global name="ZopePageTemplate" module="Products.PageTemplates.ZopePageTemplate"/>
</pickle>
<pickle>
<dictionary>
<item>
<key> <string>_bind_names</string> </key>
<value>
<object>
<klass>
<global name="NameAssignments" module="Shared.DC.Scripts.Bindings"/>
</klass>
<tuple/>
<state>
<dictionary>
<item>
<key> <string>_asgns</string> </key>
<value>
<dictionary>
<item>
<key> <string>name_subpath</string> </key>
<value> <string>traverse_subpath</string> </value>
</item>
</dictionary>
</value>
</item>
</dictionary>
</state>
</object>
</value>
</item>
<item>
<key> <string>content_type</string> </key>
<value> <string>text/html</string> </value>
</item>
<item>
<key> <string>expand</string> </key>
<value> <int>0</int> </value>
</item>
<item>
<key> <string>id</string> </key>
<value> <string>testListboxQueryRejectUnknownColumn</string> </value>
</item>
<item>
<key> <string>output_encoding</string> </key>
<value> <string>utf-8</string> </value>
</item>
<item>
<key> <string>title</string> </key>
<value> <unicode></unicode> </value>
</item>
</dictionary>
</pickle>
</record>
</ZopeData>
<html xmlns:tal="http://xml.zope.org/namespaces/tal"
xmlns:metal="http://xml.zope.org/namespaces/metal">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Test RenderJS UI</title>
</head>
<body>
<table cellpadding="1" cellspacing="1" border="1">
<thead>
<tr><td rowspan="1" colspan="3">Test RenderJS UI</td></tr>
</thead><tbody>
<tal:block metal:use-macro="here/Zuite_CommonTemplate/macros/init" />
<!-- Clean Up -->
<tr>
<td>open</td>
<td>${base_url}/bar_module/ListBoxZuite_reset</td>
<td></td>
</tr>
<tr>
<td>assertTextPresent</td>
<td>Reset Successfully.</td>
<td></td>
</tr>
<!-- Initialize -->
<tr>
<td>open</td>
<td>${base_url}/web_site_module/renderjs_runner/#/foo_module</td>
<td></td>
</tr>
<tal:block metal:use-macro="here/Zuite_CommonTemplateForRenderjsUi/macros/wait_for_listbox_loaded" />
<tal:block tal:define="search_query python: 'bar:&#34;foo&#34;'">
<tal:block metal:use-macro="here/Zuite_CommonTemplateForRenderjsUi/macros/search_in_form_list" />
</tal:block>
<tr>
<td>assertElementPresent</td>
<td>//span[text()="Invalid Search Criteria"]</td>
<td></td>
</tr>
<tal:block tal:define="parsed_query python: 'bar:&nbsp; &#34;foo&#34;';
search_query python: ''">
<tal:block metal:use-macro="here/Zuite_CommonTemplateForRenderjsUi/macros/check_search_in_form_list" />
</tal:block>
</tbody></table>
</body>
</html>
\ No newline at end of file
......@@ -19,12 +19,12 @@
<tal:block metal:use-macro="here/Zuite_CommonTemplateForRenderjsUi/macros/wait_for_app_loaded" />
<tal:block metal:use-macro="here/Zuite_CommonTemplateForRenderjsUi/macros/wait_for_listbox_loaded" />
<tal:block tal:define="search_query python: 'foo:&#34;bar&#34; AND barfoo'">
<tal:block tal:define="search_query python: 'title:&#34;bar&#34; AND barfoo'">
<tal:block metal:use-macro="here/Zuite_CommonTemplateForRenderjsUi/macros/search_in_form_list" />
</tal:block>
<tal:block metal:use-macro="here/Zuite_CommonTemplateForRenderjsUi/macros/wait_for_listbox_loaded" />
<tal:block tal:define="parsed_query python: 'foo:&nbsp; &#34;bar&#34;';
<tal:block tal:define="parsed_query python: 'title:&nbsp; &#34;bar&#34;';
search_query python: 'barfoo'">
<tal:block metal:use-macro="here/Zuite_CommonTemplateForRenderjsUi/macros/check_search_in_form_list" />
</tal:block>
......@@ -69,7 +69,7 @@
<td>Foos</td>
<td></td>
</tr>
<tal:block tal:define="parsed_query python: 'foo:&nbsp; &#34;bar&#34;';
<tal:block tal:define="parsed_query python: 'title:&nbsp; &#34;bar&#34;';
search_query python: 'barfoo'">
<tal:block metal:use-macro="here/Zuite_CommonTemplateForRenderjsUi/macros/check_search_in_form_list" />
</tal:block>
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment