From ed70f5636a3eb9de0d726002521a33319d8d94a5 Mon Sep 17 00:00:00 2001 From: vimarshc Date: Thu, 11 May 2017 12:53:10 +0530 Subject: [PATCH 1/2] Added failing test case for multiple hyphens in orderingfilter paramter --- tests/test_filters.py | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/tests/test_filters.py b/tests/test_filters.py index d2c11d258..15eb2ccf3 100644 --- a/tests/test_filters.py +++ b/tests/test_filters.py @@ -764,6 +764,22 @@ class OrderingFilterTests(TestCase): {'id': 1, 'title': 'zyx', 'text': 'abc'}, ] + def test_incorrecturl_extrahyphens_ordering(self): + class OrderingListView(generics.ListAPIView): + queryset = OrderingFilterModel.objects.all() + serializer_class = OrderingFilterSerializer + filter_backends = (filters.OrderingFilter,) + ordering = ('title',) + ordering_fields = ('text',) + + view = OrderingListView.as_view() + request = factory.get('/', {'ordering':'--text'}) + response = view(request) + assert response.data == [ + {'id': 3, 'title': 'xwv', 'text': 'cde'}, + {'id': 2, 'title': 'yxw', 'text': 'bcd'}, + {'id': 1, 'title': 'zyx', 'text': 'abc'}, + ] def test_incorrectfield_ordering(self): class OrderingListView(generics.ListAPIView): queryset = OrderingFilterModel.objects.all() From b2d614930166b6d2e3df89c7dc486fbbcf9ebd37 Mon Sep 17 00:00:00 2001 From: vimarshc Date: Sat, 13 May 2017 04:54:22 +0530 Subject: [PATCH 2/2] importing regex constant to remove invalid parameters. --- rest_framework/filters.py | 3 ++- tests/test_filters.py | 4 +++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/rest_framework/filters.py b/rest_framework/filters.py index 429b79c77..aea9d3a57 100644 --- a/rest_framework/filters.py +++ b/rest_framework/filters.py @@ -11,6 +11,7 @@ from functools import reduce from django.core.exceptions import ImproperlyConfigured from django.db import models from django.db.models.constants import LOOKUP_SEP +from django.db.models.sql.constants import ORDER_PATTERN from django.template import loader from django.utils import six from django.utils.encoding import force_text @@ -268,7 +269,7 @@ class OrderingFilter(BaseFilterBackend): def remove_invalid_fields(self, queryset, fields, view, request): valid_fields = [item[0] for item in self.get_valid_fields(queryset, view, {'request': request})] - return [term for term in fields if term.lstrip('-') in valid_fields] + return [term for term in fields if term.lstrip('-') in valid_fields and ORDER_PATTERN.match(term)] def filter_queryset(self, request, queryset, view): ordering = self.get_ordering(request, queryset, view) diff --git a/tests/test_filters.py b/tests/test_filters.py index 15eb2ccf3..b2de80998 100644 --- a/tests/test_filters.py +++ b/tests/test_filters.py @@ -773,13 +773,14 @@ class OrderingFilterTests(TestCase): ordering_fields = ('text',) view = OrderingListView.as_view() - request = factory.get('/', {'ordering':'--text'}) + request = factory.get('/', {'ordering': '--text'}) response = view(request) assert response.data == [ {'id': 3, 'title': 'xwv', 'text': 'cde'}, {'id': 2, 'title': 'yxw', 'text': 'bcd'}, {'id': 1, 'title': 'zyx', 'text': 'abc'}, ] + def test_incorrectfield_ordering(self): class OrderingListView(generics.ListAPIView): queryset = OrderingFilterModel.objects.all() @@ -899,6 +900,7 @@ class OrderingFilterTests(TestCase): queryset = OrderingFilterModel.objects.all() filter_backends = (filters.OrderingFilter,) ordering = ('title',) + # note: no ordering_fields and serializer_class specified def get_serializer_class(self):