Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in / Register
Toggle navigation
Menu
Open sidebar
Auri
funkwhale
Commits
7b84a988
Verified
Commit
7b84a988
authored
May 29, 2018
by
Eliot Berriot
Browse files
See #223: dangerous actions can now prevent executing an action on all objects
parent
7df9112d
Changes
2
Hide whitespace changes
Inline
Side-by-side
api/funkwhale_api/common/serializers.py
View file @
7b84a988
...
...
@@ -12,6 +12,9 @@ class ActionSerializer(serializers.Serializer):
filters
=
serializers
.
DictField
(
required
=
False
)
actions
=
None
filterset_class
=
None
# those are actions identifier where we don't want to allow the "all"
# selector because it's to dangerous. Like object deletion.
dangerous_actions
=
[]
def
__init__
(
self
,
*
args
,
**
kwargs
):
self
.
queryset
=
kwargs
.
pop
(
'queryset'
)
...
...
@@ -49,6 +52,10 @@ class ActionSerializer(serializers.Serializer):
'list of identifiers or the string "all".'
.
format
(
value
))
def
validate
(
self
,
data
):
dangerous
=
data
[
'action'
]
in
self
.
dangerous_actions
if
dangerous
and
self
.
initial_data
[
'objects'
]
==
'all'
:
raise
serializers
.
ValidationError
(
'This action is to dangerous to be applied to all objects'
)
if
self
.
filterset_class
and
'filters'
in
data
:
qs_filterset
=
self
.
filterset_class
(
data
[
'filters'
],
queryset
=
data
[
'objects'
])
...
...
api/tests/common/test_serializers.py
View file @
7b84a988
...
...
@@ -18,6 +18,17 @@ class TestSerializer(serializers.ActionSerializer):
return
{
'hello'
:
'world'
}
class
TestDangerousSerializer
(
serializers
.
ActionSerializer
):
actions
=
[
'test'
,
'test_dangerous'
]
dangerous_actions
=
[
'test_dangerous'
]
def
handle_test
(
self
,
objects
):
pass
def
handle_test_dangerous
(
self
,
objects
):
pass
def
test_action_serializer_validates_action
():
data
=
{
'objects'
:
'all'
,
'action'
:
'nope'
}
serializer
=
TestSerializer
(
data
,
queryset
=
models
.
User
.
objects
.
none
())
...
...
@@ -98,3 +109,28 @@ def test_action_serializers_validates_at_least_one_object():
assert
serializer
.
is_valid
()
is
False
assert
'non_field_errors'
in
serializer
.
errors
def
test_dangerous_actions_refuses_all
(
factories
):
factories
[
'users.User'
]()
data
=
{
'objects'
:
'all'
,
'action'
:
'test_dangerous'
,
}
serializer
=
TestDangerousSerializer
(
data
,
queryset
=
models
.
User
.
objects
.
all
())
assert
serializer
.
is_valid
()
is
False
assert
'non_field_errors'
in
serializer
.
errors
def
test_dangerous_actions_refuses_not_listed
(
factories
):
factories
[
'users.User'
]()
data
=
{
'objects'
:
'all'
,
'action'
:
'test'
,
}
serializer
=
TestDangerousSerializer
(
data
,
queryset
=
models
.
User
.
objects
.
all
())
assert
serializer
.
is_valid
()
is
True
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment