External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-03-11 06:29:31 -02:30
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #5560 from wenottingham/bad-request-bad-naughty-evil-request

Browse Source 
Fix survey validation to always retun an error code if erroring

Reviewed-by: https://github.com/apps/softwarefactory-project-zuul
This commit is contained in:
softwarefactory-project-zuul[bot]
2019-12-20 18:38:27 +00:00
committed by GitHub
parent 82fd245ca9 3ba1ba1c9d
commit f9e0600263
2 changed files with 30 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
awx/api/views/__init__.py
View File

@@ -2549,7 +2549,7 @@ class JobTemplateSurveySpec(GenericAPIView):
if not isinstance(val, allow_types): if not isinstance(val, allow_types):
return Response(dict(error=_("'{field_name}' in survey question {idx} expected to be {type_label}.").format( return Response(dict(error=_("'{field_name}' in survey question {idx} expected to be {type_label}.").format(
field_name=field_name, type_label=type_label, **context field_name=field_name, type_label=type_label, **context
))) )), status=status.HTTP_400_BAD_REQUEST)
if survey_item['variable'] in variable_set: if survey_item['variable'] in variable_set:
return Response(dict(error=_("'variable' '%(item)s' duplicated in survey question %(survey)s.") % { return Response(dict(error=_("'variable' '%(item)s' duplicated in survey question %(survey)s.") % {
'item': survey_item['variable'], 'survey': str(idx)}), status=status.HTTP_400_BAD_REQUEST) 'item': survey_item['variable'], 'survey': str(idx)}), status=status.HTTP_400_BAD_REQUEST)
@@ -2564,7 +2564,7 @@ class JobTemplateSurveySpec(GenericAPIView):
"'{survey_item[type]}' in survey question {idx} is not one of '{allowed_types}' allowed question types." "'{survey_item[type]}' in survey question {idx} is not one of '{allowed_types}' allowed question types."
).format( ).format(
allowed_types=', '.join(JobTemplateSurveySpec.ALLOWED_TYPES.keys()), **context allowed_types=', '.join(JobTemplateSurveySpec.ALLOWED_TYPES.keys()), **context
))) )), status=status.HTTP_400_BAD_REQUEST)
if 'default' in survey_item and survey_item['default'] != '': if 'default' in survey_item and survey_item['default'] != '':
if not isinstance(survey_item['default'], JobTemplateSurveySpec.ALLOWED_TYPES[qtype]): if not isinstance(survey_item['default'], JobTemplateSurveySpec.ALLOWED_TYPES[qtype]):
type_label = 'string' type_label = 'string'
@@ -2582,7 +2582,7 @@ class JobTemplateSurveySpec(GenericAPIView):
if survey_item[key] is not None and (not isinstance(survey_item[key], int)): if survey_item[key] is not None and (not isinstance(survey_item[key], int)):
return Response(dict(error=_( return Response(dict(error=_(
"The {min_or_max} limit in survey question {idx} expected to be integer." "The {min_or_max} limit in survey question {idx} expected to be integer."
).format(min_or_max=key, **context))) ).format(min_or_max=key, **context)), status=status.HTTP_400_BAD_REQUEST)
# if it's a multiselect or multiple choice, it must have coices listed # if it's a multiselect or multiple choice, it must have coices listed
# choices and defualts must come in as strings seperated by /n characters. # choices and defualts must come in as strings seperated by /n characters.
if qtype == 'multiselect' or qtype == 'multiplechoice': if qtype == 'multiselect' or qtype == 'multiplechoice':
@@ -2592,7 +2592,7 @@ class JobTemplateSurveySpec(GenericAPIView):
else: else:
return Response(dict(error=_( return Response(dict(error=_(
"Survey question {idx} of type {survey_item[type]} must specify choices.".format(**context) "Survey question {idx} of type {survey_item[type]} must specify choices.".format(**context)
))) )), status=status.HTTP_400_BAD_REQUEST)
# If there is a default string split it out removing extra /n characters. # If there is a default string split it out removing extra /n characters.
# Note: There can still be extra newline characters added in the API, these are sanitized out using .strip() # Note: There can still be extra newline characters added in the API, these are sanitized out using .strip()
if 'default' in survey_item: if 'default' in survey_item:
@@ -2606,11 +2606,11 @@ class JobTemplateSurveySpec(GenericAPIView):
if len(list_of_defaults) > 1: if len(list_of_defaults) > 1:
return Response(dict(error=_( return Response(dict(error=_(
"Multiple Choice (Single Select) can only have one default value.".format(**context) "Multiple Choice (Single Select) can only have one default value.".format(**context)
))) )), status=status.HTTP_400_BAD_REQUEST)
if any(item not in survey_item['choices'] for item in list_of_defaults): if any(item not in survey_item['choices'] for item in list_of_defaults):
return Response(dict(error=_( return Response(dict(error=_(
"Default choice must be answered from the choices listed.".format(**context) "Default choice must be answered from the choices listed.".format(**context)
))) )), status=status.HTTP_400_BAD_REQUEST)
# Process encryption substitution # Process encryption substitution
if ("default" in survey_item and isinstance(survey_item['default'], str) and if ("default" in survey_item and isinstance(survey_item['default'], str) and

24
awx/main/tests/functional/api/test_survey_spec.py
View File

@@ -219,6 +219,30 @@ def test_survey_spec_passwords_with_default_required(job_template_factory, post,
assert launch_value not in json.loads(job.extra_vars).values() assert launch_value not in json.loads(job.extra_vars).values()
@pytest.mark.django_db
def test_survey_spec_default_not_allowed(job_template, post, admin_user):
survey_input_data = {
'description': 'A survey',
'spec': [{
'question_name': 'You must choose wisely',
'variable': 'your_choice',
'default': 'blue',
'required': False,
'type': 'multiplechoice',
"choices": ["red", "green", "purple"]
}],
'name': 'my survey'
}
r = post(
url=reverse(
'api:job_template_survey_spec',
kwargs={'pk': job_template.id}
),
data=survey_input_data, user=admin_user, expect=400
)
assert r.data['error'] == 'Default choice must be answered from the choices listed.'
@pytest.mark.django_db @pytest.mark.django_db
@pytest.mark.parametrize('default, status', [ @pytest.mark.parametrize('default, status', [
('SUPERSECRET', 200), ('SUPERSECRET', 200),