prohibit order_by= for sensitive fields

see: #5526
2026-02-23 14:05:59 -03:30 · 2017-02-23 15:22:08 -05:00
parent 053ecd1093
commit f4d4c43d94
3 changed files with 45 additions and 0 deletions
--- a/awx/main/tests/functional/api/test_credential.py
+++ b/awx/main/tests/functional/api/test_credential.py
@@ -339,6 +339,21 @@ def test_list_created_org_credentials(post, get, organization, org_admin, org_me
    assert response.data['count'] == 0


+@pytest.mark.parametrize('order_by', ('password', '-password', 'password,pk', '-password,pk'))
+@pytest.mark.django_db
+def test_list_cannot_order_by_encrypted_field(post, get, organization, org_admin, order_by):
+    for i, password in enumerate(('abc', 'def', 'xyz')):
+        response = post(reverse('api:credential_list'), {
+            'organization': organization.id,
+            'name': 'C%d' % i,
+            'password': password
+        }, org_admin)
+
+    response = get(reverse('api:credential_list'), org_admin,
+                   QUERY_STRING='order_by=%s' % order_by, status=400)
+    assert response.status_code == 400
+
+
 #
 # Openstack Credentials
 #