Sanity checks against input for ticket search

Currently input parameters within the ticket search view are not validated, thus (manually) altering the parameters in the query string issues a 500. This patch attempts to solve this problem, reverting to the default query when the situation can't be recovered.
2024-11-22 07:53:19 +01:00 · 2012-01-17 13:14:21 +01:00 · 2012-01-17 13:14:21 +01:00 · 119b951086
commit 119b951086
parent 533fdc8c2a
1 changed files with 25 additions and 8 deletions
--- a/helpdesk/views/staff.py
+++ b/helpdesk/views/staff.py
@ -15,6 +15,7 @@ from django.contrib.auth.models import User
 from django.contrib.auth.decorators import login_required, user_passes_test
 from django.core.files.base import ContentFile
 from django.core.urlresolvers import reverse
+from django.core.exceptions import ValidationError
 from django.core import paginator
 from django.db import connection
 from django.db.models import Q
@ -609,18 +610,27 @@ def ticket_list(request):
    else:
        queues = request.GET.getlist('queue')
        if queues:
-            queues = [int(q) for q in queues]
-            query_params['filtering']['queue__id__in'] = queues
+            try:
+                queues = [int(q) for q in queues]
+                query_params['filtering']['queue__id__in'] = queues
+            except ValueError:
+                pass

        owners = request.GET.getlist('assigned_to')
        if owners:
-            owners = [int(u) for u in owners]
-            query_params['filtering']['assigned_to__id__in'] = owners
+            try:
+                owners = [int(u) for u in owners]
+                query_params['filtering']['assigned_to__id__in'] = owners
+            except ValueError:
+                pass

        statuses = request.GET.getlist('status')
        if statuses:
-            statuses = [int(s) for s in statuses]
-            query_params['filtering']['status__in'] = statuses
+            try:
+                statuses = [int(s) for s in statuses]
+                query_params['filtering']['status__in'] = statuses
+            except ValueError:
+                pass

        date_from = request.GET.get('date_from')
        if date_from:
@ -653,8 +663,15 @@ def ticket_list(request):
        sortreverse = request.GET.get('sortreverse', None)
        query_params['sortreverse'] = sortreverse

-    ticket_qs = apply_query(Ticket.objects.select_related(), query_params)
-    print >> sys.stderr,  str(ticket_qs.query)
+    try:
+        ticket_qs = apply_query(Ticket.objects.select_related(), query_params)
+    except ValidationError:
+        # invalid parameters in query, return default query
+        query_params = {
+            'filtering': {'status__in': [1, 2, 3]},
+            'sorting': 'created',
+        }
+        ticket_qs = apply_query(Ticket.objects.select_related(), query_params)

    ## TAG MATCHING
    if HAS_TAG_SUPPORT: