Validate properties specified for sorting and grouping in index

views. Original patch from martin.v.loewis via:

  https://hg.python.org/tracker/roundup/rev/439bd3060df2

Applied by John Rouillard with some modification to properly
identify if the bad property is a sort or grouping property. Tests
added. Ideally we would never get bad sort/group properties but...

Author: rouilj

CHANGES.txt

@@ -132,6 +132,12 @@ Fixed:
 - issue2550850 anypy/email_.py uses BSPACE which is not defined in python 2.7
   Supplied a definition for BSPACE since it seems to not be defined
   anywhere. Reported by Dennis Boone. (John Rouillard)
+- Validate properties specified for sorting and grouping in index
+  views. Original patch from martin.v.loewis via:
+  https://hg.python.org/tracker/roundup/rev/439bd3060df2
+  Applied by John Rouillard with some modification to properly
+  identify if the bad property is a sort or grouping property. Tests
+  added.
 
 2016-01-11: 1.5.1
 

roundup/cgi/templating.py

@@ -2517,13 +2517,18 @@ def _parse_sort(self, var, name):
                     dirs.append(self.form.getfirst(dirkey))
             if fields: # only try other special char if nothing found
                 break
+        cls = self.client.db.getclass(self.classname)
         for f, d in map(None, fields, dirs):
             if f.startswith('-'):
-                var.append(('-', f[1:]))
+                dir, propname = '-', f[1:]
             elif d:
-                var.append(('-', f))
+                dir, propname = '-', f
             else:
-                var.append(('+', f))
+                dir, propname = '+', f
+            if cls.get_transitive_prop(propname) is None:
+                self.client.add_error_message("Unknown %s property %s"%(name, propname))
+            else:
+                var.append((dir, propname))
 
     def _form_has_key(self, name):
         try:

test/test_cgi.py

@@ -787,6 +787,7 @@ def _make_client(self, form, classname='user', nodeid='1',
         cl.userid = userid
         cl.language = ('en',)
         cl._error_message = []
+        cl._ok_message = []
         cl.template = template
         return cl
 
@@ -986,6 +987,21 @@ def testSearchPermission(self):
             userid=chef, template='index')
         h = HTMLRequest(cl)
         self.assertEqual([x.id for x in h.batch()],['2', '3', '1'])
+        self.assertEqual(cl._error_message, []) # test for empty _error_message when sort is valid
+        self.assertEqual(cl._ok_message, []) # test for empty _ok_message when sort is valid
+
+        # Test for correct _error_message for invalid sort/group properties
+        baddepsort = {'@action':'search','columns':'id','@sort':'dep'}
+        baddepgrp = {'@action':'search','columns':'id','@group':'dep'}
+        cl = self._make_client(baddepsort, classname='iss', nodeid=None,
+            userid=chef, template='index')
+        h = HTMLRequest(cl)
+        self.assertEqual(cl._error_message, ['Unknown sort property dep'])
+        cl = self._make_client(baddepgrp, classname='iss', nodeid=None,
+            userid=chef, template='index')
+        h = HTMLRequest(cl)
+        self.assertEqual(cl._error_message, ['Unknown group property dep'])
+
         cl = self._make_client(depgrp, classname='iss', nodeid=None,
             userid=chef, template='index')
         h = HTMLRequest(cl)