From 119b951086dcb713d4f68d8ac48248e5bc630cbd Mon Sep 17 00:00:00 2001
From: Ivan Giuliani <giuliani.v@gmail.com>
Date: Tue, 17 Jan 2012 13:14:21 +0100
Subject: [PATCH 1/3] Sanity checks against input for ticket search

Currently input parameters within the ticket search view are not
validated, thus (manually) altering the parameters in the query string
issues a 500. This patch attempts to solve this problem, reverting to
the default query when the situation can't be recovered.
---
 helpdesk/views/staff.py | 33 +++++++++++++++++++++++++--------
 1 file changed, 25 insertions(+), 8 deletions(-)

diff --git a/helpdesk/views/staff.py b/helpdesk/views/staff.py
index b792094e..ce5afaee 100644
--- a/helpdesk/views/staff.py
+++ b/helpdesk/views/staff.py
@@ -15,6 +15,7 @@ from django.contrib.auth.models import User
 from django.contrib.auth.decorators import login_required, user_passes_test
 from django.core.files.base import ContentFile
 from django.core.urlresolvers import reverse
+from django.core.exceptions import ValidationError
 from django.core import paginator
 from django.db import connection
 from django.db.models import Q
@@ -609,18 +610,27 @@ def ticket_list(request):
     else:
         queues = request.GET.getlist('queue')
         if queues:
-            queues = [int(q) for q in queues]
-            query_params['filtering']['queue__id__in'] = queues
+            try:
+                queues = [int(q) for q in queues]
+                query_params['filtering']['queue__id__in'] = queues
+            except ValueError:
+                pass
 
         owners = request.GET.getlist('assigned_to')
         if owners:
-            owners = [int(u) for u in owners]
-            query_params['filtering']['assigned_to__id__in'] = owners
+            try:
+                owners = [int(u) for u in owners]
+                query_params['filtering']['assigned_to__id__in'] = owners
+            except ValueError:
+                pass
 
         statuses = request.GET.getlist('status')
         if statuses:
-            statuses = [int(s) for s in statuses]
-            query_params['filtering']['status__in'] = statuses
+            try:
+                statuses = [int(s) for s in statuses]
+                query_params['filtering']['status__in'] = statuses
+            except ValueError:
+                pass
 
         date_from = request.GET.get('date_from')
         if date_from:
@@ -653,8 +663,15 @@ def ticket_list(request):
         sortreverse = request.GET.get('sortreverse', None)
         query_params['sortreverse'] = sortreverse
 
-    ticket_qs = apply_query(Ticket.objects.select_related(), query_params)
-    print >> sys.stderr,  str(ticket_qs.query)
+    try:
+        ticket_qs = apply_query(Ticket.objects.select_related(), query_params)
+    except ValidationError:
+        # invalid parameters in query, return default query
+        query_params = {
+            'filtering': {'status__in': [1, 2, 3]},
+            'sorting': 'created',
+        }
+        ticket_qs = apply_query(Ticket.objects.select_related(), query_params)
 
     ## TAG MATCHING
     if HAS_TAG_SUPPORT:

From b6472507e467791c2963973ec691ef0f4619cdc1 Mon Sep 17 00:00:00 2001
From: Ivan Giuliani <giuliani.v@gmail.com>
Date: Wed, 18 Jan 2012 14:39:36 +0100
Subject: [PATCH 2/3] apply_query shouldn't modify the parameters dictionary

Changing parameters in apply_query might yield an invalid state in later
code that assumes the query was not changed.
This patch avoids parameters modification and should fix the issue
reported in #109
---
 helpdesk/lib.py | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/helpdesk/lib.py b/helpdesk/lib.py
index 99a3c579..6c825038 100644
--- a/helpdesk/lib.py
+++ b/helpdesk/lib.py
@@ -173,10 +173,12 @@ def apply_query(queryset, params):
         # eg a Q() set
         queryset = queryset.filter(params['other_filter'])
 
-    if params.get('sorting', None):
-        if params.get('sortreverse', None):
-            params['sorting'] = "-%s" % params['sorting']
-        queryset = queryset.order_by(params['sorting'])
+    sorting = params.get('sorting', None)
+    if not sorting:
+        sortreverse = params.get('sortreverse', None)
+        if not sortreverse:
+            sorting = "-%s" % sorting
+        queryset = queryset.order_by(sorting)
 
     return queryset
 

From 5eb8b6eeb722cc86064e240ec5bdc8274320c199 Mon Sep 17 00:00:00 2001
From: Ivan Giuliani <giuliani.v@gmail.com>
Date: Wed, 18 Jan 2012 23:36:58 +0100
Subject: [PATCH 3/3] Silly mistake: reversed condition in 'if' check

---
 helpdesk/lib.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/helpdesk/lib.py b/helpdesk/lib.py
index 6c825038..b7972633 100644
--- a/helpdesk/lib.py
+++ b/helpdesk/lib.py
@@ -176,7 +176,7 @@ def apply_query(queryset, params):
     sorting = params.get('sorting', None)
     if not sorting:
         sortreverse = params.get('sortreverse', None)
-        if not sortreverse:
+        if sortreverse:
             sorting = "-%s" % sorting
         queryset = queryset.order_by(sorting)