extern/django-helpdesk
1
0
Fork 1
mirror of https://github.com/django-helpdesk/django-helpdesk.git synced 2025-03-05 18:51:33 +01:00
Code Issues Packages Projects Releases Wiki Activity

Sanity checks against input for ticket search

Browse Source 
Currently input parameters within the ticket search view are not
validated, thus (manually) altering the parameters in the query string
issues a 500. This patch attempts to solve this problem, reverting to
the default query when the situation can't be recovered.
This commit is contained in:
Ivan Giuliani 2012-01-17 13:14:21 +01:00
parent 533fdc8c2a
commit 119b951086
1 changed files with 25 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
helpdesk/views/staff.py
View File

@ -15,6 +15,7 @@ from django.contrib.auth.models import User
from django.contrib.auth.decorators import login_required, user_passes_test from django.contrib.auth.decorators import login_required, user_passes_test
from django.core.files.base import ContentFile from django.core.files.base import ContentFile
from django.core.urlresolvers import reverse from django.core.urlresolvers import reverse
from django.core.exceptions import ValidationError
from django.core import paginator from django.core import paginator
from django.db import connection from django.db import connection
from django.db.models import Q from django.db.models import Q
@ -609,18 +610,27 @@ def ticket_list(request):
else: else:
queues = request.GET.getlist('queue') queues = request.GET.getlist('queue')
if queues: if queues:
queues = [int(q) for q in queues] try:
query_params['filtering']['queue__id__in'] = queues queues = [int(q) for q in queues]
query_params['filtering']['queue__id__in'] = queues
except ValueError:
pass
owners = request.GET.getlist('assigned_to') owners = request.GET.getlist('assigned_to')
if owners: if owners:
owners = [int(u) for u in owners] try:
query_params['filtering']['assigned_to__id__in'] = owners owners = [int(u) for u in owners]
query_params['filtering']['assigned_to__id__in'] = owners
except ValueError:
pass
statuses = request.GET.getlist('status') statuses = request.GET.getlist('status')
if statuses: if statuses:
statuses = [int(s) for s in statuses] try:
query_params['filtering']['status__in'] = statuses statuses = [int(s) for s in statuses]
query_params['filtering']['status__in'] = statuses
except ValueError:
pass
date_from = request.GET.get('date_from') date_from = request.GET.get('date_from')
if date_from: if date_from:
@ -653,8 +663,15 @@ def ticket_list(request):
sortreverse = request.GET.get('sortreverse', None) sortreverse = request.GET.get('sortreverse', None)
query_params['sortreverse'] = sortreverse query_params['sortreverse'] = sortreverse
ticket_qs = apply_query(Ticket.objects.select_related(), query_params) try:
print >> sys.stderr, str(ticket_qs.query) ticket_qs = apply_query(Ticket.objects.select_related(), query_params)
except ValidationError:
# invalid parameters in query, return default query
query_params = {
'filtering': {'status__in': [1, 2, 3]},
'sorting': 'created',
}
ticket_qs = apply_query(Ticket.objects.select_related(), query_params)
## TAG MATCHING ## TAG MATCHING
if HAS_TAG_SUPPORT: if HAS_TAG_SUPPORT: