Launchpad itself

Merge lp:~julian-edwards/launchpad/ppa-search-oops-bug-446157 into lp:launchpad

  1. ppa-search-oops-bug-446157
  2. Merge into devel
Proposed by Julian Edwards
Status: Merged
Merged at revision: not available
Proposed branch: lp:~julian-edwards/launchpad/ppa-search-oops-bug-446157
Merge into: lp:launchpad
Diff against target: 42 lines
2 files modified
lib/lp/registry/browser/distribution.py (+7/-0)
lib/lp/soyuz/stories/ppa/xx-ubuntu-ppas.txt (+14/-0)
To merge this branch: bzr merge lp:~julian-edwards/launchpad/ppa-search-oops-bug-446157
Reviewer Review Type Date Requested Status
Michael Nelson (community) code Approve
Review via email: mp+13361@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Julian Edwards (julian-edwards) wrote :

= Summary =
Fix an oops when someone hand-hacks URLs searching PPAs.

== Proposed fix ==
We need to cope with a list value when expecting a string in the form data.
This is a trivial change in the view code, but I also filed a Foundations bugs
since we should be able to do this generically in the form setup.

== Pre-implementation notes ==
None, I suck.

== Tests ==
bin/test -cvvt xx-ubuntu-ppas

== Demo and Q/A ==
https://launchpad.dev/ubuntu/+ppas?name_filter=packages&name_filter=humanity

= Launchpad lint =

Checking for conflicts. and issues in doctests and templates.
Running jslint, xmllint, pyflakes, and pylint.
Using normal rules.

Linting changed files:
  lib/lp/soyuz/stories/ppa/xx-ubuntu-ppas.txt
  lib/lp/registry/browser/distribution.py

Revision history for this message
Michael Nelson (michael.nelson) wrote :

Thanks Julian. Just a suggestion for changing the comment below.

> === modified file 'lib/lp/registry/browser/distribution.py'
> --- lib/lp/registry/browser/distribution.py 2009-09-23 14:58:12 +0000
> +++ lib/lp/registry/browser/distribution.py 2009-10-15 08:23:35 +0000
> @@ -646,6 +646,15 @@
>
> def initialize(self):
> self.name_filter = self.request.get('name_filter')
> + if isinstance(self.name_filter, list):
> + # This happens if someone hand-hacks the URL so that it has
> + # more than one name_filter field.
> + #

Is that normal? I've normally just left a blank line there. I'm just
interested to know.

> + # XXX 2009-10-14 Julian bug=451424
> + # There really should be a way for the form to reject
> + # unexpected input like this before it hits the code here.
> + # See bug 451424.

As per our conversation, I think the issue here is more that we are not
using an LPFormView. We could inherit from LPFormView, have an interface
for the search form defined, use a safe_action and the data would be
validated automatically right? Up to you whether you want to go ahead
and actually do that, or simply update the above comment.

> + self.name_filter = " ".join(self.name_filter)

Great - at first I wondered why you didn't just grab name_filter[0]
(or [-1]), but the doctest has a good justification for joining the
terms.

> self.show_inactive = self.request.get('show_inactive')
>
> @property
>
> === modified file 'lib/lp/soyuz/stories/ppa/xx-ubuntu-ppas.txt'
> --- lib/lp/soyuz/stories/ppa/xx-ubuntu-ppas.txt 2009-09-23 14:58:12 +0000
> +++ lib/lp/soyuz/stories/ppa/xx-ubuntu-ppas.txt 2009-10-15 08:23:35 +0000
> @@ -246,6 +246,20 @@
> 1
>
>
> +=== Hand-hacked search URLs ==
> +
> +If the search term is specified more than once by someone hand-hacking the
> +URL, the page copes gracefully with this by searching for all the terms
> +specified.
> +
> + >>> anon_browser.open(
> + ... "http://launchpad.dev/ubuntu/+ppas"
> + ... "?name_filter=packages&name_filter=friends")
> + >>> [row] = find_tags_by_class(anon_browser.contents, 'ppa_batch_row')
> + >>> print extract_text(row)
> + PPA for Celso Providelo...
> +
> +
> == Owner's PPA pages ==
>
> Let's start by adding an extra package to Celso's archive:

--
Michael

review: Approve (code)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'lib/lp/registry/browser/distribution.py'
--- lib/lp/registry/browser/distribution.py 2009-09-23 14:58:12 +0000
+++ lib/lp/registry/browser/distribution.py 2009-10-15 10:29:13 +0000
@@ -646,6 +646,13 @@
646646
647 def initialize(self):647 def initialize(self):
648 self.name_filter = self.request.get('name_filter')648 self.name_filter = self.request.get('name_filter')
649 if isinstance(self.name_filter, list):
650 # This happens if someone hand-hacks the URL so that it has
651 # more than one name_filter field. We could do something
652 # like form.getOne() so that the request would be rejected,
653 # but we can acutally do better and join the terms supplied
654 # instead.
655 self.name_filter = " ".join(self.name_filter)
649 self.show_inactive = self.request.get('show_inactive')656 self.show_inactive = self.request.get('show_inactive')
650657
651 @property658 @property
652659
=== modified file 'lib/lp/soyuz/stories/ppa/xx-ubuntu-ppas.txt'
--- lib/lp/soyuz/stories/ppa/xx-ubuntu-ppas.txt 2009-09-23 14:58:12 +0000
+++ lib/lp/soyuz/stories/ppa/xx-ubuntu-ppas.txt 2009-10-15 10:29:13 +0000
@@ -246,6 +246,20 @@
246 1246 1
247247
248248
249=== Hand-hacked search URLs ==
250
251If the search term is specified more than once by someone hand-hacking the
252URL, the page copes gracefully with this by searching for all the terms
253specified.
254
255 >>> anon_browser.open(
256 ... "http://launchpad.dev/ubuntu/+ppas"
257 ... "?name_filter=packages&name_filter=friends")
258 >>> [row] = find_tags_by_class(anon_browser.contents, 'ppa_batch_row')
259 >>> print extract_text(row)
260 PPA for Celso Providelo...
261
262
249== Owner's PPA pages ==263== Owner's PPA pages ==
250264
251Let's start by adding an extra package to Celso's archive:265Let's start by adding an extra package to Celso's archive: