Committed edited fix for issue2550712 by Cedric Krier.

bernhardreiter · bernhardreiter · commit 7a62744502fd · 2012-05-14T17:46:15.000+02:00
diff --git a/CHANGES.txt b/CHANGES.txt
@@ -43,6 +43,8 @@ Fixed:
   Reported and fixed by Ralf Hemmecke. (Bernhard)
 - issue2550715: IndexError when requesting non-existing file via http.
   Reported and fixed by C�dric Krier. (Bernhard)
+- issue2550712: exportcsvaction errors poorly when given invalid columns.
+  Reported by Will Kahn-Greene, fixed by C�dric Krier. (Bernhard)
 - issue2550695: 'No sort or group' settings not retained when editing queries.
   Reported and fixed by John Kristensen. Tested by Satchidanand Haridas. 
   (Bernhard)
diff --git a/roundup/cgi/actions.py b/roundup/cgi/actions.py
@@ -1035,6 +1035,18 @@ def handle(self):
         columns = request.columns
         klass = self.db.getclass(request.classname)
 
+        # check if all columns exist on class
+        # the exception must be raised before sending header
+        props = klass.getprops()
+        for cname in columns:
+            if cname not in props:
+                # TODO raise exceptions.NotFound(.....) does not give message
+                # so using SeriousError instead
+                self.client.response_code = 404
+                raise exceptions.SeriousError(
+                    self._('Column "%(column)s" not found on %(class)s')
+                    % {'column': cgi.escape(cname), 'class': request.classname})
+
         # full-text search
         if request.search_text:
             matches = self.db.indexer.search(
diff --git a/test/test_cgi.py b/test/test_cgi.py
@@ -930,14 +930,26 @@ def testCSVExport(self):
             '8,resolved\r\n',
             output.getvalue())
 
+    def testCSVExportBadColumnName(self):
+        cl = self._make_client({'@columns': 'falseid,name'}, nodeid=None,
+            userid='1')
+        cl.classname = 'status'
+        output = StringIO.StringIO()
+        cl.request = MockNull()
+        cl.request.wfile = output
+        self.assertRaises(exceptions.SeriousError,
+            actions.ExportCSVAction(cl).handle)
+
     def testCSVExportFailPermission(self):
         cl = self._make_client({'@columns': 'id,email,password'}, nodeid=None,
             userid='2')
         cl.classname = 'user'
         output = StringIO.StringIO()
         cl.request = MockNull()
         cl.request.wfile = output
-        self.assertRaises(exceptions.Unauthorised,
+        # used to be self.assertRaises(exceptions.Unauthorised,
+        # but not acting like the column name is not found
+        self.assertRaises(exceptions.SeriousError,
             actions.ExportCSVAction(cl).handle)
 
 
