Merge pull request #5131 from vimarshc/issue4989

Ignore any invalidly formed query parameters for OrderingFilter.

Merge pull request #5131 from vimarshc/issue4989
Ignore any invalidly formed query parameters for OrderingFilter.
003c3041 · Tom Christie · GitHub · 996e5873 · 7b4afdc7 · 003c3041
Commit 003c3041 authored May 15, 2017 by Tom Christie Committed by GitHub May 15, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 20 additions and 1 deletions

rest_framework/filters.py
+2 -1

tests/test_filters.py
+18 -0

No files found.
--- a/rest_framework/filters.py
+++ b/rest_framework/filters.py
@@ -11,6 +11,7 @@ from functools import reduce
 from django.core.exceptions import ImproperlyConfigured
 from django.db import models
 from django.db.models.constants import LOOKUP_SEP
+from django.db.models.sql.constants import ORDER_PATTERN
 from django.template import loader
 from django.utils import six
 from django.utils.encoding import force_text
@@ -268,7 +269,7 @@ class OrderingFilter(BaseFilterBackend):
    def remove_invalid_fields(self, queryset, fields, view, request):
        valid_fields = [item[0] for item in self.get_valid_fields(queryset, view, {'request': request})]
-        return [term for term in fields if term.lstrip('-') in valid_fields]
+        return [term for term in fields if term.lstrip('-') in valid_fields and ORDER_PATTERN.match(term)]
    def filter_queryset(self, request, queryset, view):
        ordering = self.get_ordering(request, queryset, view)

--- a/tests/test_filters.py
+++ b/tests/test_filters.py
@@ -764,6 +764,23 @@ class OrderingFilterTests(TestCase):
            {'id': 1, 'title': 'zyx', 'text': 'abc'},
        ]
+    def test_incorrecturl_extrahyphens_ordering(self):
+        class OrderingListView(generics.ListAPIView):
+            queryset = OrderingFilterModel.objects.all()
+            serializer_class = OrderingFilterSerializer
+            filter_backends = (filters.OrderingFilter,)
+            ordering = ('title',)
+            ordering_fields = ('text',)
+        view = OrderingListView.as_view()
+        request = factory.get('/', {'ordering': '--text'})
+        response = view(request)
+        assert response.data == [
+            {'id': 3, 'title': 'xwv', 'text': 'cde'},
+            {'id': 2, 'title': 'yxw', 'text': 'bcd'},
+            {'id': 1, 'title': 'zyx', 'text': 'abc'},
+        ]
    def test_incorrectfield_ordering(self):
        class OrderingListView(generics.ListAPIView):
            queryset = OrderingFilterModel.objects.all()
@@ -883,6 +900,7 @@ class OrderingFilterTests(TestCase):
            queryset = OrderingFilterModel.objects.all()
            filter_backends = (filters.OrderingFilter,)
            ordering = ('title',)
            # note: no ordering_fields and serializer_class specified
            def get_serializer_class(self):