erp5_hal_json_style: forbid querying unknown catalog column

3b0e3d55 · Romain Courteaud · 25ecc376 · 3b0e3d55 · 3b0e3d55
Commit 3b0e3d55 authored Sep 03, 2020 by Romain Courteaud 🐙
2 changed files
--- a/bt5/erp5_hal_json_style/SkinTemplateItem/portal_skins/erp5_hal_json_style/ERP5Document_getHateoas.py
+++ b/bt5/erp5_hal_json_style/SkinTemplateItem/portal_skins/erp5_hal_json_style/ERP5Document_getHateoas.py
@@ -1727,6 +1727,19 @@ def calculateHateoas(is_portal=None, is_site_root=None, traversed_document=None,
            byteify(
              json.loads(urlsafe_b64decode(default_param_json)))))
      if query:
+        # Forbid querying unknown catalog column
+        invalid_column_list = []
+        def isValidColumnOrRaise(column_id):
+          is_valid_column = sql_catalog.isValidColumn(column_id)
+          if not is_valid_column:
+            invalid_column_list.append(column_id)
+          return is_valid_column
+        sql_catalog.parseSearchText(query, search_key='FullTextKey', is_valid=isValidColumnOrRaise)
+
+        if invalid_column_list:
+          response.setStatus(400)
+          result_dict["_debug"] = 'Invalid column name: %s' % str(invalid_column_list)
+          return result_dict
        catalog_kw["full_text"] = query

      if selection_domain is not None:

--- a/bt5/erp5_hal_json_style/TestTemplateItem/portal_components/test.erp5.testHalJsonStyle.py
+++ b/bt5/erp5_hal_json_style/TestTemplateItem/portal_components/test.erp5.testHalJsonStyle.py
@@ -1432,6 +1432,34 @@ class TestERP5Document_getHateoas_mode_search(ERP5HALJSONStyleSkinsMixin):
    # No count if not in the listbox context currently
    self.assertEqual(result_dict['_embedded'].get('count', None), None)

+  @simulate('Base_getRequestUrl', '*args, **kwargs', 'return "http://example.org/bar"')
+  @simulate('Base_getRequestHeader', '*args, **kwargs', 'return "application/hal+json"')
+  @simulate('Test_listCatalog', '*args, **kwargs', "return []")
+  @changeSkin('Hal')
+  def test_getHateoas_query_param_reject_unknown_column(self, **kw):
+    """Check that listbox line calculation modify the selection
+    """
+    self.portal.foo_module.FooModule_viewFooList.listbox.ListBox_setPropertyList(
+      field_count_method = '')
+
+    selection_tool = self.portal.portal_selections
+    selection_name = self.portal.foo_module.FooModule_viewFooList.listbox.get_value('selection_name')
+    selection_tool.setSelectionFor(selection_name, Selection(selection_name))
+
+    # Create the listbox selection
+    fake_request = do_fake_request("GET")
+    result = self.portal.web_site_module.hateoas.ERP5Document_getHateoas(
+      REQUEST=fake_request,
+      mode="search",
+      query='bar:"foo"'
+    )
+    self.assertEquals(fake_request.RESPONSE.status, 400)
+    self.assertEquals(fake_request.RESPONSE.getHeader('Content-Type'),
+      "application/hal+json"
+    )
+    result_dict = json.loads(result)
+    self.assertEqual(result_dict['_debug'], "Invalid column name: ['bar', 'bar']")
+
  @simulate('Base_getRequestUrl', '*args, **kwargs',
      'return "http://example.org/bar"')
  @simulate('Base_getRequestHeader', '*args, **kwargs',
@@ -2231,7 +2259,7 @@ return context.getPortalObject().portal_catalog(portal_type='Foo', sort_on=[('id
      REQUEST=fake_request,
      mode="search",
      local_roles=["Manager"],
-      query='bar:"foo"',
+      query='id:"foo"',
      list_method='Test_listCatalog',
      select_list=['title', 'uid'],
      selection_domain=json.dumps({'foo_domain': 'a/a1', 'foo_category': 'a/a2'}),
@@ -2250,7 +2278,7 @@ return context.getPortalObject().portal_catalog(portal_type='Foo', sort_on=[('id
    self.assertEquals(
      selection.getParams(), {
        'local_roles': ['Manager'],
-        'full_text': 'bar:"foo"',
+        'full_text': 'id:"foo"',
        'ignore_unknown_columns': True,
        'portal_type': ['Foo'],
        'limit': 1000