fix(destinations): don't 500 on non-integer college id

2025-04-21 02:00:16 -04:00 · 2021-04-23 22:37:30 -04:00 · 2021-04-23 22:37:30 -04:00 · b9c8517b82
commit b9c8517b82
parent 8709c6fa5f
2 changed files with 23 additions and 2 deletions
--- a/tjdests/apps/destinations/tests.py
+++ b/tjdests/apps/destinations/tests.py
@ -134,6 +134,21 @@ class DestinationsTest(TJDestsTestCase):
        self.assertIn(user, response.context["object_list"])
        self.assertNotIn(user2, response.context["object_list"])

+        # Non alphanumeric should 404
+        response = self.client.get(
+            reverse("destinations:students"), data={"college": str(college.id) + "f"}
+        )
+        self.assertEqual(404, response.status_code)
+
+        # Non existent should 404
+        # sanity check
+        assert College.objects.filter(id=college.id + 5).count() == 0
+
+        response = self.client.get(
+            reverse("destinations:students"), data={"college": college.id + 5}
+        )
+        self.assertEqual(404, response.status_code)
+
        response = self.client.get(
            reverse("destinations:students"), data={"college": college2.id}
        )
--- a/tjdests/apps/destinations/views.py
+++ b/tjdests/apps/destinations/views.py
@ -1,6 +1,9 @@
+from typing import Optional
+
 from django.contrib.auth.mixins import LoginRequiredMixin, UserPassesTestMixin
 from django.core.exceptions import PermissionDenied
 from django.db.models import Count, Q, QuerySet
+from django.http import Http404
 from django.shortcuts import get_object_or_404
 from django.views.generic import ListView

@ -26,8 +29,11 @@ class StudentDestinationListView(

        queryset = queryset.filter(is_senior=True).order_by("last_name", "first_name")

-        college_id = self.request.GET.get("college", None)
+        college_id: Optional[str] = self.request.GET.get("college", None)
        if college_id is not None:
+            if not college_id.isdigit():
+                raise Http404()
+
            get_object_or_404(College, id=college_id)
            queryset = queryset.filter(decision__college__id=college_id)

@ -46,7 +52,7 @@ class StudentDestinationListView(
    ):  # pylint: disable=unused-argument
        context = super().get_context_data(**kwargs)

-        college_id = self.request.GET.get("college", None)
+        college_id: Optional[str] = self.request.GET.get("college", None)
        if college_id is not None:
            context["college"] = get_object_or_404(College, id=college_id)