From ed70f5636a3eb9de0d726002521a33319d8d94a5 Mon Sep 17 00:00:00 2001 From: vimarshc Date: Thu, 11 May 2017 12:53:10 +0530 Subject: [PATCH 1/2] Added failing test case for multiple hyphens in orderingfilter paramter --- tests/test_filters.py | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/tests/test_filters.py b/tests/test_filters.py index d2c11d258e..15eb2ccf32 100644 --- a/tests/test_filters.py +++ b/tests/test_filters.py @@ -764,6 +764,22 @@ class OrderingListView(generics.ListAPIView): {'id': 1, 'title': 'zyx', 'text': 'abc'}, ] + def test_incorrecturl_extrahyphens_ordering(self): + class OrderingListView(generics.ListAPIView): + queryset = OrderingFilterModel.objects.all() + serializer_class = OrderingFilterSerializer + filter_backends = (filters.OrderingFilter,) + ordering = ('title',) + ordering_fields = ('text',) + + view = OrderingListView.as_view() + request = factory.get('/', {'ordering':'--text'}) + response = view(request) + assert response.data == [ + {'id': 3, 'title': 'xwv', 'text': 'cde'}, + {'id': 2, 'title': 'yxw', 'text': 'bcd'}, + {'id': 1, 'title': 'zyx', 'text': 'abc'}, + ] def test_incorrectfield_ordering(self): class OrderingListView(generics.ListAPIView): queryset = OrderingFilterModel.objects.all() From b2d614930166b6d2e3df89c7dc486fbbcf9ebd37 Mon Sep 17 00:00:00 2001 From: vimarshc Date: Sat, 13 May 2017 04:54:22 +0530 Subject: [PATCH 2/2] importing regex constant to remove invalid parameters. --- rest_framework/filters.py | 3 ++- tests/test_filters.py | 4 +++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/rest_framework/filters.py b/rest_framework/filters.py index 429b79c777..aea9d3a57b 100644 --- a/rest_framework/filters.py +++ b/rest_framework/filters.py @@ -11,6 +11,7 @@ from django.core.exceptions import ImproperlyConfigured from django.db import models from django.db.models.constants import LOOKUP_SEP +from django.db.models.sql.constants import ORDER_PATTERN from django.template import loader from django.utils import six from django.utils.encoding import force_text @@ -268,7 +269,7 @@ def get_valid_fields(self, queryset, view, context={}): def remove_invalid_fields(self, queryset, fields, view, request): valid_fields = [item[0] for item in self.get_valid_fields(queryset, view, {'request': request})] - return [term for term in fields if term.lstrip('-') in valid_fields] + return [term for term in fields if term.lstrip('-') in valid_fields and ORDER_PATTERN.match(term)] def filter_queryset(self, request, queryset, view): ordering = self.get_ordering(request, queryset, view) diff --git a/tests/test_filters.py b/tests/test_filters.py index 15eb2ccf32..b2de80998f 100644 --- a/tests/test_filters.py +++ b/tests/test_filters.py @@ -773,13 +773,14 @@ class OrderingListView(generics.ListAPIView): ordering_fields = ('text',) view = OrderingListView.as_view() - request = factory.get('/', {'ordering':'--text'}) + request = factory.get('/', {'ordering': '--text'}) response = view(request) assert response.data == [ {'id': 3, 'title': 'xwv', 'text': 'cde'}, {'id': 2, 'title': 'yxw', 'text': 'bcd'}, {'id': 1, 'title': 'zyx', 'text': 'abc'}, ] + def test_incorrectfield_ordering(self): class OrderingListView(generics.ListAPIView): queryset = OrderingFilterModel.objects.all() @@ -899,6 +900,7 @@ class OrderingListView(generics.ListAPIView): queryset = OrderingFilterModel.objects.all() filter_backends = (filters.OrderingFilter,) ordering = ('title',) + # note: no ordering_fields and serializer_class specified def get_serializer_class(self): pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.

Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy