Merge lp:~sinzui/launchpad/vocab-storm-bug-413287 into lp:launchpad
Proposed by
Curtis Hovey
Status: | Merged |
---|---|
Approved by: | Eleanor Berger |
Approved revision: | not available |
Merged at revision: | not available |
Proposed branch: | lp:~sinzui/launchpad/vocab-storm-bug-413287 |
Merge into: | lp:launchpad |
Diff against target: |
95 lines (+35/-16) 2 files modified
lib/lp/registry/doc/vocabularies.txt (+23/-2) lib/lp/registry/vocabularies.py (+12/-14) |
To merge this branch: | bzr merge lp:~sinzui/launchpad/vocab-storm-bug-413287 |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Eleanor Berger (community) | Approve | ||
Review via email: mp+15125@code.launchpad.net |
To post a comment you must log in.
This is my branch to prevent oopses search or validating persons with '%'
in their names.
lp:~sinzui/launchpad/vocab-storm-bug-413287 /bugs.launchpad .net/bugs/ 413287 *doc/vocab" implementation: no one
Diff size: 96
Launchpad bug: https:/
Test command: ./bin/test -vvt "registry.
Pre-
Target release: 3.1.11
= Prevent oopses search or validating persons with '%' in their names =
The '%' is just not escaped, so psycopg's variable substitution blows up. amVocabulary uses SQL() to add hand-coded sql to a storm
The ValidPersonOrTe
query. When it does this, it uses python string substitutions. Instead, we
should use the optional second argument to SQL() to pass in the variables,
which will escape them properly.
For example:
SQL('SELECT name FROM person WHERE id = ? AND displayname = ?', (33, 'foo'))
This should also eliminate the need to use quote() and quote_like() on the
parameters.
== Rules ==
* Revise the query to be a Storm expression.
== QA ==
* Try to reassign an project or team to another user.
* Place a percent in the user's name.
* Verify that the screen explains that there are no matching users.
* Using the person picker
* Search for a name with a percent in it
* Verify you do not get an error.
== Lint ==
Linting changed files: registry/ vocabularies. py registry/ doc/vocabularie s.txt
lib/lp/
lib/lp/
== Test ==
* lib/lp/ registry/ doc/vocabularie s.txt
* Added a test to verify that searching for % and ? work.
== Implementation ==
* lib/lp/ registry/ vocabularies. py
* Revised the two parts of the SQL to use a storm expression