Exception when ordering param contains double dashes #3737
Description
Using the django ordering filter (3.2.5), if the term is a valid ordering_fields and the user specified -- instead of - then an exception is thrown.
Assuming url.con points to a view SnippetList as shown below, the double -- typo generates an exception
in debug mode (error 500 in debug false). Expectation is that this is ignored as an invalid ordering field.
http://127.0.0.1:8000/snippets?ordering=--title
A possible fix is it replace ltrim() in filters.py line 260 to strip only the first leading dash from "--title". This should cause the remaining field name "-title" to drop out of the fields list.
class Snippet(models.Model):
created = models.DateTimeField(auto_now_add=True)
title = models.CharField(max_length=100, blank=True, default='')
code = models.TextField()
linenos = models.BooleanField(default=False)
language = models.CharField(choices=LANGUAGE_CHOICES, default='python', max_length=100)
style = models.CharField(choices=STYLE_CHOICES, default='friendly', max_length=100)
class Meta:
ordering = ('created',)
class SnippetSerializer(serializers.ModelSerializer):
class Meta:
model = Snippet
fields = ('id', 'title', 'code', 'linenos', 'language', 'style')
class SnippetList(generics.ListCreateAPIView):
queryset = Snippet.objects.all()
serializer_class = SnippetSerializer
ordering_fields = ('title')