From b9c8517b82f67d99e32137e1bd163f7acc3d691a Mon Sep 17 00:00:00 2001
From: Ethan Nguyen <etnguyen03@hotmail.com>
Date: Fri, 23 Apr 2021 22:37:30 -0400
Subject: [PATCH] fix(destinations): don't 500 on non-integer college id

---
 tjdests/apps/destinations/tests.py | 15 +++++++++++++++
 tjdests/apps/destinations/views.py | 10 ++++++++--
 2 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/tjdests/apps/destinations/tests.py b/tjdests/apps/destinations/tests.py
index cad8456..ddcb323 100644
--- a/tjdests/apps/destinations/tests.py
+++ b/tjdests/apps/destinations/tests.py
@@ -134,6 +134,21 @@ class DestinationsTest(TJDestsTestCase):
         self.assertIn(user, response.context["object_list"])
         self.assertNotIn(user2, response.context["object_list"])
 
+        # Non alphanumeric should 404
+        response = self.client.get(
+            reverse("destinations:students"), data={"college": str(college.id) + "f"}
+        )
+        self.assertEqual(404, response.status_code)
+
+        # Non existent should 404
+        # sanity check
+        assert College.objects.filter(id=college.id + 5).count() == 0
+
+        response = self.client.get(
+            reverse("destinations:students"), data={"college": college.id + 5}
+        )
+        self.assertEqual(404, response.status_code)
+
         response = self.client.get(
             reverse("destinations:students"), data={"college": college2.id}
         )
diff --git a/tjdests/apps/destinations/views.py b/tjdests/apps/destinations/views.py
index 86aed05..bbcb8c4 100644
--- a/tjdests/apps/destinations/views.py
+++ b/tjdests/apps/destinations/views.py
@@ -1,6 +1,9 @@
+from typing import Optional
+
 from django.contrib.auth.mixins import LoginRequiredMixin, UserPassesTestMixin
 from django.core.exceptions import PermissionDenied
 from django.db.models import Count, Q, QuerySet
+from django.http import Http404
 from django.shortcuts import get_object_or_404
 from django.views.generic import ListView
 
@@ -26,8 +29,11 @@ class StudentDestinationListView(
 
         queryset = queryset.filter(is_senior=True).order_by("last_name", "first_name")
 
-        college_id = self.request.GET.get("college", None)
+        college_id: Optional[str] = self.request.GET.get("college", None)
         if college_id is not None:
+            if not college_id.isdigit():
+                raise Http404()
+
             get_object_or_404(College, id=college_id)
             queryset = queryset.filter(decision__college__id=college_id)
 
@@ -46,7 +52,7 @@ class StudentDestinationListView(
     ):  # pylint: disable=unused-argument
         context = super().get_context_data(**kwargs)
 
-        college_id = self.request.GET.get("college", None)
+        college_id: Optional[str] = self.request.GET.get("college", None)
         if college_id is not None:
             context["college"] = get_object_or_404(College, id=college_id)