Skip to content
Snippets Groups Projects
Verified Commit 7b84a988 authored by Eliot Berriot's avatar Eliot Berriot
Browse files

See #223: dangerous actions can now prevent executing an action on all objects

parent 7df9112d
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
api/funkwhale_api/common/serializers.py
+ 7
0
View file @ 7b84a988
......@@ -12,6 +12,9 @@ class ActionSerializer(serializers.Serializer):
filters = serializers.DictField(required=False)
actions = None
filterset_class = None
# those are actions identifier where we don't want to allow the "all"
# selector because it's to dangerous. Like object deletion.
dangerous_actions = []
def __init__(self, *args, **kwargs):
self.queryset = kwargs.pop('queryset')
......@@ -49,6 +52,10 @@ class ActionSerializer(serializers.Serializer):
'list of identifiers or the string "all".'.format(value))
def validate(self, data):
dangerous = data['action'] in self.dangerous_actions
if dangerous and self.initial_data['objects'] == 'all':
raise serializers.ValidationError(
'This action is to dangerous to be applied to all objects')
if self.filterset_class and 'filters' in data:
qs_filterset = self.filterset_class(
data['filters'], queryset=data['objects'])
......
api/tests/common/test_serializers.py
+ 36
0
View file @ 7b84a988
......@@ -18,6 +18,17 @@ class TestSerializer(serializers.ActionSerializer):
return {'hello': 'world'}
class TestDangerousSerializer(serializers.ActionSerializer):
actions = ['test', 'test_dangerous']
dangerous_actions = ['test_dangerous']
def handle_test(self, objects):
pass
def handle_test_dangerous(self, objects):
pass
def test_action_serializer_validates_action():
data = {'objects': 'all', 'action': 'nope'}
serializer = TestSerializer(data, queryset=models.User.objects.none())
......@@ -98,3 +109,28 @@ def test_action_serializers_validates_at_least_one_object():
assert serializer.is_valid() is False
assert 'non_field_errors' in serializer.errors
def test_dangerous_actions_refuses_all(factories):
factories['users.User']()
data = {
'objects': 'all',
'action': 'test_dangerous',
}
serializer = TestDangerousSerializer(
data, queryset=models.User.objects.all())
assert serializer.is_valid() is False
assert 'non_field_errors' in serializer.errors
def test_dangerous_actions_refuses_not_listed(factories):
factories['users.User']()
data = {
'objects': 'all',
'action': 'test',
}
serializer = TestDangerousSerializer(
data, queryset=models.User.objects.all())
assert serializer.is_valid() is True
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment