Merge pull request #5560 from wenottingham/bad-request-bad-naughty-evil-request

Fix survey validation to always retun an error code if erroring Reviewed-by: https://github.com/apps/softwarefactory-project-zuul
2026-01-13 02:50:02 -03:30 · 2019-12-20 18:38:27 +00:00 · 2019-12-20 18:38:27 +00:00 · f9e0600263
commit f9e0600263
parent 82fd245ca9 3ba1ba1c9d
2 changed files with 30 additions and 6 deletions
--- a/awx/api/views/init.py
+++ b/awx/api/views/init.py
@ -2549,7 +2549,7 @@ class JobTemplateSurveySpec(GenericAPIView):
                if not isinstance(val, allow_types):
                    return Response(dict(error=_("'{field_name}' in survey question {idx} expected to be {type_label}.").format(
                        field_name=field_name, type_label=type_label, **context
-                    )))
+                    )), status=status.HTTP_400_BAD_REQUEST)
            if survey_item['variable'] in variable_set:
                return Response(dict(error=_("'variable' '%(item)s' duplicated in survey question %(survey)s.") % {
                    'item': survey_item['variable'], 'survey': str(idx)}), status=status.HTTP_400_BAD_REQUEST)
@ -2564,7 +2564,7 @@ class JobTemplateSurveySpec(GenericAPIView):
                    "'{survey_item[type]}' in survey question {idx} is not one of '{allowed_types}' allowed question types."
                ).format(
                    allowed_types=', '.join(JobTemplateSurveySpec.ALLOWED_TYPES.keys()), **context
-                )))
+                )), status=status.HTTP_400_BAD_REQUEST)
            if 'default' in survey_item and survey_item['default'] != '':
                if not isinstance(survey_item['default'], JobTemplateSurveySpec.ALLOWED_TYPES[qtype]):
                    type_label = 'string'
@ -2582,7 +2582,7 @@ class JobTemplateSurveySpec(GenericAPIView):
                    if survey_item[key] is not None and (not isinstance(survey_item[key], int)):
                        return Response(dict(error=_(
                            "The {min_or_max} limit in survey question {idx} expected to be integer."
-                        ).format(min_or_max=key, **context)))
+                        ).format(min_or_max=key, **context)), status=status.HTTP_400_BAD_REQUEST)
            # if it's a multiselect or multiple choice, it must have coices listed
            # choices and defualts must come in as strings seperated by /n characters.
            if qtype == 'multiselect' or qtype == 'multiplechoice':
@ -2592,7 +2592,7 @@ class JobTemplateSurveySpec(GenericAPIView):
                else:
                    return Response(dict(error=_(
                        "Survey question {idx} of type {survey_item[type]} must specify choices.".format(**context)
-                    )))
+                    )), status=status.HTTP_400_BAD_REQUEST)
                # If there is a default string split it out removing extra /n characters.
                # Note: There can still be extra newline characters added in the API, these are sanitized out using .strip()
                if 'default' in survey_item:
@ -2606,11 +2606,11 @@ class JobTemplateSurveySpec(GenericAPIView):
                        if len(list_of_defaults) > 1:
                            return Response(dict(error=_(
                                "Multiple Choice (Single Select) can only have one default value.".format(**context)
-                            )))
+                            )), status=status.HTTP_400_BAD_REQUEST)
                    if any(item not in survey_item['choices'] for item in list_of_defaults):
                        return Response(dict(error=_(
                            "Default choice must be answered from the choices listed.".format(**context)
-                        )))
+                        )), status=status.HTTP_400_BAD_REQUEST)

            # Process encryption substitution
            if ("default" in survey_item and isinstance(survey_item['default'], str) and
--- a/awx/main/tests/functional/api/test_survey_spec.py
+++ b/awx/main/tests/functional/api/test_survey_spec.py
@ -219,6 +219,30 @@ def test_survey_spec_passwords_with_default_required(job_template_factory, post,
        assert launch_value not in json.loads(job.extra_vars).values()


+@pytest.mark.django_db
+def test_survey_spec_default_not_allowed(job_template, post, admin_user):
+    survey_input_data = {
+        'description': 'A survey',
+        'spec': [{
+            'question_name': 'You must choose wisely',
+            'variable': 'your_choice',
+            'default': 'blue',
+            'required': False,
+            'type': 'multiplechoice',
+            "choices": ["red", "green", "purple"]
+        }],
+        'name': 'my survey'
+    }
+    r = post(
+        url=reverse(
+            'api:job_template_survey_spec',
+            kwargs={'pk': job_template.id}
+        ),
+        data=survey_input_data, user=admin_user, expect=400
+    )
+    assert r.data['error'] == 'Default choice must be answered from the choices listed.'
+
+
@pytest.mark.django_db
@pytest.mark.parametrize('default, status', [
    ('SUPERSECRET', 200),