-
Notifications
You must be signed in to change notification settings - Fork 123
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixed delimiter validation in resources endpoint #1998
Conversation
app/models/resource.rb
Outdated
@@ -105,6 +105,9 @@ def search account: nil, kind: nil, owner: nil, offset: nil, limit: nil, search: | |||
scope = scope.textsearch(search) if search | |||
|
|||
if offset || limit | |||
if (offset && !numeric?(offset)) || (limit && !numeric?(limit)) | |||
raise ApplicationController::UnprocessableEntity, "Delimiter must be an integer if given" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@shulifink can you please review this message?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't understand. What do you mean "if given"?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@liavyona Isn't it enough to just say "If you provide a value for Delimiter, it must be an integer greater than or equal to 0".
or simply: "Delimiter must be an integer greater than or equal to 0".
or "... must be an integer", or "must be a positive integer " (depending on what the integer type)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would go with "Delimiter offset or limit must be an integer greater than or equal to 0"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM @liavyona , thanks!
please get a review from @shulifink on the message.
@@ -212,6 +216,11 @@ def bad_request e | |||
head :bad_request | |||
end | |||
|
|||
def unprocessable_entity e |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ApplicationController#unprocessable_entity has the parameter name 'e'
@@ -131,6 +134,10 @@ def textsearch input | |||
def visible_to role | |||
from Sequel.function(:visible_resources, role.id).as(:resources) | |||
end | |||
|
|||
def numeric? val |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Resource#numeric? doesn't depend on instance state (maybe move it to another class?)
@liavyona please make sure to add a change log message for this! it's definitely a user-impacting change, and we should let people know we've fixed this. |
574535e
to
01199e5
Compare
01199e5
to
1faaf94
Compare
case kind | ||
when "variable" | ||
response["secrets"] = secrets_dataset.order(:version).as_json | ||
.map { |h| h.except 'resource' } | ||
.map { |h| h.except 'resource' } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use 2 (not 37) spaces for indenting an expression in an assignment spanning multiple lines.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great work! Thanks for jumping on this bug
A couple of things 1. as Oren mentioned please check with Shuli that these logs are ok before merging 2. I tagged you in a codeclimate suggestion so check that out :)
1faaf94
to
e11474c
Compare
e11474c
to
6a22304
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! Thanks for this improvement!
# 'offset' must be an integer greater than or equal to 0 if given | ||
if offset && (!numeric?(offset) || offset.to_i.negative?) | ||
raise ApplicationController::UnprocessableEntity, "'offset' contains an invalid value. 'offset' must be an integer greater than or equal to 0." | ||
end |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
UnprocessableEntity
is an http level concern. That is, we should only be talking about that error inside of controllers, and specifically in code that is mapping an actual domain error into an http status code.
Inside of the model we should be raising a more specific validation error, with a name that reflects what went wrong. InvalidQueryParameter
or something like that.
Separate comment: There's a lot of formatting / clean changes here (which is awesome), but please put those into a separate commit with a subject like "Cleanup formatting" -- otherwise the "meat" of this PR (which is actually pretty small and simple) isn't clear at a glance.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jonahx fixed
2a78590
to
a9b50e7
Compare
a9b50e7
to
5549927
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great @liavyona
Thank you for taking this on.
app/models/resource.rb
Outdated
raise "'limit' contains an invalid value. 'limit' must be a positive integer." | ||
end | ||
# 'offset' must be an integer greater than or equal to 0 if given | ||
if offset && (!numeric?(offset) || offset.to_i.negative?) | ||
raise "'offset' contains an invalid value. 'offset' must be an integer greater than or equal to 0." |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@liavyona is it possible to move these errors to errors.rb
?
we prefer to have all the user-facing messages there
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it will be a problem to use a custom exception inside a model class. Ads you can see there is no usage of any error which is defined at errors.rb
under app/model
. Other model classes use simple raise
or ArgumentError
. I changed it to use ArgumentError
f06a1df
to
442015a
Compare
`GET /resources` endpoints takes 2 optionals numeric delimiters as requests parameters: `limit` & `offset`. Previously, no input validation has been made when receiving these optional parameters. Now, we verify that their value is valid if given.
442015a
to
f8679e1
Compare
Code Climate has analyzed commit f8679e1 and detected 8 issues on this pull request. Here's the issue category breakdown:
The test coverage on the diff in this pull request is 90.9% (50% is the threshold). This pull request will bring the total coverage in the repository to 89.3% (0.0% change). View more on Code Climate. |
What does this PR do?
resources
endpointWhat ticket does this PR close?
Resolves #1997
Checklists
Change log
Test coverage
Documentation
README
s) were updated in this PR, and/or there is a follow-on issue to update docs, or