discourse
/
discourse-docs
mirror of https://github.com/discourse/discourse-docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

FIX: ignore category filter when incorrect param (#59) 

Category filter accepts ids of categories. If value is manipulated, we should ignore it.
This commit is contained in:
Krzysztof Kotlarek 2021-09-27 14:52:27 +10:00 committed by GitHub
parent b2de26d52c
commit 72cdd8d415
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 16 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
lib/docs/query.rb
View File

@ -27,7 +27,8 @@ module Docs
# filter results by selected category
if @filters[:category].present?
results = results.where('topics.category_id IN (?)', @filters[:category].split('|'))
category_ids = @filters[:category].split('|')
results = results.where('topics.category_id IN (?)', category_ids) if category_ids.all? { |id| id =~ /\A\d+\z/ }
end
# filter results by selected tags

14
spec/requests/docs_controller_spec.rb
View File

@ -120,6 +120,20 @@ describe Docs::DocsController do
expect(categories.size).to eq(1)
expect(topics.size).to eq(1)
end
it 'ignores category filter when incorrect argument' do
get "/docs.json?category=hack"
expect(response.status).to eq(200)
json = JSON.parse(response.body)
categories = json['categories']
topics = json['topics']['topic_list']['topics']
expect(categories.size).to eq(2)
expect(topics.size).to eq(3)
end
end
context 'when ordering results' do