hit the is_valid method before stripping the special fields in credential view

2026-01-15 03:40:42 -03:30 · 2016-05-05 14:20:36 -04:00 · 2016-05-05 14:20:36 -04:00 · b1dfa28459
commit b1dfa28459
parent 097c450581
2 changed files with 15 additions and 0 deletions
--- a/awx/api/views.py
+++ b/awx/api/views.py
@ -1231,6 +1231,11 @@ class CredentialList(ListCreateAPIView):
    serializer_class = CredentialSerializerCreate

    def post(self, request, *args, **kwargs):
+
+        # Check the validity of POST data, including special fields
+        serializer = self.get_serializer(data=request.data)
+        serializer.is_valid(raise_exception=True)
+
        for field in [x for x in ['user', 'team', 'organization'] if x in request.data and request.data[x] in ('', None)]:
            request.data.pop(field)
            kwargs.pop(field, None)
--- a/awx/main/tests/functional/api/test_credential.py
+++ b/awx/main/tests/functional/api/test_credential.py
@ -21,6 +21,16 @@ def test_create_user_credential_via_credentials_list(post, get, alice):
    assert response.status_code == 200
    assert response.data['count'] == 1

+@pytest.mark.django_db
+def test_credential_validation_error_with_bad_user(post, alice):
+    response = post(reverse('api:credential_list'), {
+        'user': 'asdf',
+        'name': 'Some name',
+        'username': 'someusername'
+    }, alice)
+    assert response.status_code == 403
+    assert response.data['detail'] == 'You do not have permission to perform this action.'
+
@pytest.mark.django_db
 def test_create_user_credential_via_user_credentials_list(post, get, alice):
    response = post(reverse('api:user_credentials_list', args=(alice.pk,)), {