Merge pull request #5131 from vimarshc/issue4989

Ignore any invalidly formed query parameters for OrderingFilter.
2025-10-30 07:27:46 +03:00 · 2017-05-15 09:45:48 +01:00 · 2017-05-15 09:45:48 +01:00 · 003c304115
commit 003c304115
parent 996e587398 7b4afdc737
2 changed files with 20 additions and 1 deletions
--- a/rest_framework/filters.py
+++ b/rest_framework/filters.py
@ -11,6 +11,7 @@ from functools import reduce
 from django.core.exceptions import ImproperlyConfigured
 from django.db import models
 from django.db.models.constants import LOOKUP_SEP
+from django.db.models.sql.constants import ORDER_PATTERN
 from django.template import loader
 from django.utils import six
 from django.utils.encoding import force_text
@ -268,7 +269,7 @@ class OrderingFilter(BaseFilterBackend):

    def remove_invalid_fields(self, queryset, fields, view, request):
        valid_fields = [item[0] for item in self.get_valid_fields(queryset, view, {'request': request})]
-        return [term for term in fields if term.lstrip('-') in valid_fields]
+        return [term for term in fields if term.lstrip('-') in valid_fields and ORDER_PATTERN.match(term)]

    def filter_queryset(self, request, queryset, view):
        ordering = self.get_ordering(request, queryset, view)
--- a/tests/test_filters.py
+++ b/tests/test_filters.py
@ -764,6 +764,23 @@ class OrderingFilterTests(TestCase):
            {'id': 1, 'title': 'zyx', 'text': 'abc'},
        ]

+    def test_incorrecturl_extrahyphens_ordering(self):
+        class OrderingListView(generics.ListAPIView):
+            queryset = OrderingFilterModel.objects.all()
+            serializer_class = OrderingFilterSerializer
+            filter_backends = (filters.OrderingFilter,)
+            ordering = ('title',)
+            ordering_fields = ('text',)
+
+        view = OrderingListView.as_view()
+        request = factory.get('/', {'ordering': '--text'})
+        response = view(request)
+        assert response.data == [
+            {'id': 3, 'title': 'xwv', 'text': 'cde'},
+            {'id': 2, 'title': 'yxw', 'text': 'bcd'},
+            {'id': 1, 'title': 'zyx', 'text': 'abc'},
+        ]
+
    def test_incorrectfield_ordering(self):
        class OrderingListView(generics.ListAPIView):
            queryset = OrderingFilterModel.objects.all()
@ -883,6 +900,7 @@ class OrderingFilterTests(TestCase):
            queryset = OrderingFilterModel.objects.all()
            filter_backends = (filters.OrderingFilter,)
            ordering = ('title',)
+
            # note: no ordering_fields and serializer_class specified

            def get_serializer_class(self):