fix: ensure xform query is numeric

ukanga · ukanga · commit 1fddd093d5c2 · 2024-11-25T16:11:38.000+03:00
Closes #2641
diff --git a/onadata/apps/api/tests/viewsets/test_attachment_viewset.py b/onadata/apps/api/tests/viewsets/test_attachment_viewset.py
@@ -2,6 +2,7 @@
 """
 Test Attachment viewsets.
 """
+
 import os
 
 from django.utils import timezone
@@ -235,12 +236,19 @@ def test_list_view_filter_by_xform(self):
         response = self.list_view(request)
         self.assertEqual(response.status_code, 404)
 
+        # Authenticated user access
         data["xform"] = "lol"
         request = self.factory.get("/", data, **self.extra)
         response = self.list_view(request)
         self.assertEqual(response.status_code, 400)
         self.assertEqual(response.get("Cache-Control"), None)
 
+        # Anonymous user access
+        data["xform"] = "lol"
+        request = self.factory.get("/", data)
+        response = self.list_view(request)
+        self.assertContains(response, "Not Found", status_code=404)
+
     def test_list_view_filter_by_instance(self):
         self._submit_transport_instance_w_attachment()
 
diff --git a/onadata/apps/api/viewsets/attachment_viewset.py b/onadata/apps/api/viewsets/attachment_viewset.py
@@ -2,9 +2,11 @@
 """
 The /api/v1/attachments API implementation.
 """
+
 from django.conf import settings
 from django.core.files.storage import default_storage
 from django.http import Http404
+from django.shortcuts import get_object_or_404
 from django.utils.translation import gettext as _
 
 from rest_framework import renderers, viewsets
@@ -16,6 +18,7 @@
 from onadata.apps.logger.models.attachment import Attachment
 from onadata.apps.logger.models.xform import XForm
 from onadata.libs import filters
+from onadata.libs.data import parse_int
 from onadata.libs.mixins.authenticate_header_mixin import AuthenticateHeaderMixin
 from onadata.libs.mixins.cache_control_mixin import CacheControlMixin
 from onadata.libs.mixins.etags_mixin import ETagsMixin
@@ -106,8 +109,12 @@ def list(self, request, *args, **kwargs):
         if request.user.is_anonymous:
             xform = request.query_params.get("xform")
             if xform:
-                xform = XForm.objects.get(id=xform)
-                if not xform.shared_data:
+                xform = parse_int(xform)
+                if xform:
+                    xform = get_object_or_404(XForm, pk=xform)
+                    if not xform.shared_data:
+                        raise Http404(_("Not Found"))
+                else:
                     raise Http404(_("Not Found"))
 
         # pylint: disable=attribute-defined-outside-init
