-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
White-list query parameters #87
Labels
Comments
Open
Bump |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Pacifica Metadata version
1.0
Pacifica Core Software versions
n/a
Platform Details
All supported platforms.
Scenario:
The decorator functions in
metadata/rest/orm.py
should white-list HTTP query parameters using the "Strong Parameters" technique (c.f., http://api.rubyonrails.org/classes/ActionController/StrongParameters.html).Steps to Reproduce:
Issue a GET request with a valid identifier and an unacceptable query parameter, e.g., using the cURL command:
curl -X GET 'http://example.com/users?_id=XYZ&foo=bar'
, where "XYZ" is a valid User ID.Issue a GET request with only unacceptable query parameters, e.g., using the cURL command:
curl -X GET 'http://example.com/users?foo=bar'
.Expected Result:
Server should respond with HTTP status code: 406 Not Acceptable.
Server should respond with HTTP status code: 406 Not Acceptable.
Actual Result:
Server responds with HTTP status code: 500 Internal Server Error.
Server responds with HTTP status code: 200 OK; response body is ALL records (i.e., no filtering).
The text was updated successfully, but these errors were encountered: