Skip to content

Commit 1fddd09

Browse files
committed
fix: ensure xform query is numeric
Closes #2641
1 parent b215501 commit 1fddd09

File tree

2 files changed

+17
-2
lines changed

2 files changed

+17
-2
lines changed

onadata/apps/api/tests/viewsets/test_attachment_viewset.py

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@
22
"""
33
Test Attachment viewsets.
44
"""
5+
56
import os
67

78
from django.utils import timezone
@@ -235,12 +236,19 @@ def test_list_view_filter_by_xform(self):
235236
response = self.list_view(request)
236237
self.assertEqual(response.status_code, 404)
237238

239+
# Authenticated user access
238240
data["xform"] = "lol"
239241
request = self.factory.get("/", data, **self.extra)
240242
response = self.list_view(request)
241243
self.assertEqual(response.status_code, 400)
242244
self.assertEqual(response.get("Cache-Control"), None)
243245

246+
# Anonymous user access
247+
data["xform"] = "lol"
248+
request = self.factory.get("/", data)
249+
response = self.list_view(request)
250+
self.assertContains(response, "Not Found", status_code=404)
251+
244252
def test_list_view_filter_by_instance(self):
245253
self._submit_transport_instance_w_attachment()
246254

onadata/apps/api/viewsets/attachment_viewset.py

Lines changed: 9 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,9 +2,11 @@
22
"""
33
The /api/v1/attachments API implementation.
44
"""
5+
56
from django.conf import settings
67
from django.core.files.storage import default_storage
78
from django.http import Http404
9+
from django.shortcuts import get_object_or_404
810
from django.utils.translation import gettext as _
911

1012
from rest_framework import renderers, viewsets
@@ -16,6 +18,7 @@
1618
from onadata.apps.logger.models.attachment import Attachment
1719
from onadata.apps.logger.models.xform import XForm
1820
from onadata.libs import filters
21+
from onadata.libs.data import parse_int
1922
from onadata.libs.mixins.authenticate_header_mixin import AuthenticateHeaderMixin
2023
from onadata.libs.mixins.cache_control_mixin import CacheControlMixin
2124
from onadata.libs.mixins.etags_mixin import ETagsMixin
@@ -106,8 +109,12 @@ def list(self, request, *args, **kwargs):
106109
if request.user.is_anonymous:
107110
xform = request.query_params.get("xform")
108111
if xform:
109-
xform = XForm.objects.get(id=xform)
110-
if not xform.shared_data:
112+
xform = parse_int(xform)
113+
if xform:
114+
xform = get_object_or_404(XForm, pk=xform)
115+
if not xform.shared_data:
116+
raise Http404(_("Not Found"))
117+
else:
111118
raise Http404(_("Not Found"))
112119

113120
# pylint: disable=attribute-defined-outside-init

0 commit comments

Comments
 (0)