Validate parameters in update_subscriptions_backend.

w/unit tests added (imported from commit a0c0d779279b35ffc5bf1fbe4c5c5a25af263c10)
2013-12-12 20:57:14 -05:00 · 2013-12-12 20:57:14 -05:00 · 0cdcf102a0
parent 6b70e9ddb7
commit 0cdcf102a0
2 changed files with 44 additions and 0 deletions
--- a/zerver/tests.py
+++ b/zerver/tests.py
@ -1460,6 +1460,39 @@ class SubscriptionRestApiTest(AuthedTestCase):
        streams = self.get_streams(email)
        self.assertTrue('my_test_stream_1' not in streams)

+    def test_bad_add_parameters(self):
+        email = 'hamlet@zulip.com'
+        self.login(email)
+
+        def check_for_error(val, expected_message):
+            request = {
+                'add': ujson.dumps(val)
+            }
+            result = self.client_patch(
+                "/api/v1/users/me/subscriptions",
+                request,
+                **self.api_auth(email)
+            )
+            self.assert_json_error(result, expected_message)
+
+        check_for_error(['foo'], 'add[0] is not a dict')
+        check_for_error([{'bogus': 'foo'}], 'name key is missing from add[0]')
+        check_for_error([{'name': {}}], 'add[0]["name"] is not a string')
+
+    def test_bad_delete_parameters(self):
+        email = 'hamlet@zulip.com'
+        self.login(email)
+
+        request = {
+            'delete': ujson.dumps([{'name': 'my_test_stream_1'}])
+        }
+        result = self.client_patch(
+            "/api/v1/users/me/subscriptions",
+            request,
+            **self.api_auth(email)
+        )
+        self.assert_json_error(result, "delete[0] is not a string")
+
 class SubscriptionAPITest(AuthedTestCase):

    def setUp(self):
--- a/zerver/views/init.py
+++ b/zerver/views/init.py
@ -52,6 +52,7 @@ from openid.consumer.consumer import SUCCESS as openid_SUCCESS
 from openid.extensions import ax
 from zerver.lib import bugdown
 from zerver.lib.alert_words import user_alert_words
+from zerver.lib.validator import check_string, check_list, check_dict

 from zerver.decorator import require_post, \
    authenticated_api_view, authenticated_json_post_view, \
@ -1561,6 +1562,16 @@ def update_subscriptions_backend(request, user_profile,
    if not add and not delete:
        return json_error('Nothing to do. Specify at least one of "add" or "delete".')

+    # validate 'add' is a list of one-item dicts with key "name" and a string value
+    error = check_list(check_dict([['name', check_string]]))('add', add)
+    if error:
+        raise JsonableError(error)
+
+    # validate 'delete' is a list of strings
+    error = check_list(check_string)('delete', delete)
+    if error:
+        raise JsonableError(error)
+
    json_dict = {}
    for method, items in ((add_subscriptions_backend, add), (remove_subscriptions_backend, delete)):
        response = method(request, user_profile, streams_raw=items)