Merge pull request #116 from edx/fix/cdodge/make-sure-imported-files-are-location-clean

partial fix for STUD-145, catch invalid location errors and return a HTT...

Merge pull request #116 from edx/fix/cdodge/make-sure-imported-files-are-location-clean
partial fix for STUD-145, catch invalid location errors and return a HTT...
1c348a94 · chrisndodge · 5bc91d8a · 0c699182 · 1c348a94 · 1c348a94
Commit 1c348a94 authored Jun 10, 2013 by chrisndodge
Hide whitespace changes
Inline Side-by-side

Showing with 30 additions and 5 deletions

cms/djangoapps/contentstore/tests/test_contentstore.py
+11 -0

cms/djangoapps/contentstore/views/component.py
+19 -5

No files found.
--- a/cms/djangoapps/contentstore/tests/test_contentstore.py
+++ b/cms/djangoapps/contentstore/tests/test_contentstore.py
@@ -120,6 +120,17 @@ class ContentStoreToyCourseTest(ModuleStoreTestCase):
    def test_advanced_components_require_two_clicks(self):
        self.check_components_on_page(['videoalpha'], ['Video Alpha'])

+    def test_malformed_edit_unit_request(self):
+        store = modulestore('direct')
+        import_from_xml(store, 'common/test/data/', ['simple'])
+
+        # just pick one vertical
+        descriptor = store.get_items(Location('i4x', 'edX', 'simple', 'vertical', None, None))[0]
+        location = descriptor.location._replace(name='.' + descriptor.location.name)
+
+        resp = self.client.get(reverse('edit_unit', kwargs={'location': location.url()}))
+        self.assertEqual(resp.status_code, 400)
+
    def check_edit_unit(self, test_course_name):
        import_from_xml(modulestore('direct'), 'common/test/data/', [test_course_name])


--- a/cms/djangoapps/contentstore/views/component.py
+++ b/cms/djangoapps/contentstore/views/component.py
@@ -7,7 +7,7 @@ from django.contrib.auth.decorators import login_required
 from django.core.exceptions import PermissionDenied
 from django_future.csrf import ensure_csrf_cookie
 from django.conf import settings
-
+from xmodule.modulestore.exceptions import ItemNotFoundError, InvalidLocationError
 from mitxmako.shortcuts import render_to_response

 from xmodule.modulestore import Location
@@ -50,11 +50,18 @@ ADVANCED_COMPONENT_POLICY_KEY = 'advanced_modules'
 @login_required
 def edit_subsection(request, location):
    # check that we have permissions to edit this item
-    course = get_course_for_item(location)
+    try:
+        course = get_course_for_item(location)
+    except InvalidLocationError:
+        return HttpResponseBadRequest()
+
    if not has_access(request.user, course.location):
        raise PermissionDenied()

-    item = modulestore().get_item(location, depth=1)
+    try:
+        item = modulestore().get_item(location, depth=1)
+    except ItemNotFoundError:
+        return HttpResponseBadRequest()

    lms_link = get_lms_link_for_item(location, course_id=course.location.course_id)
    preview_link = get_lms_link_for_item(location, course_id=course.location.course_id, preview=True)
@@ -113,11 +120,18 @@ def edit_unit(request, location):

    id: A Location URL
    """
-    course = get_course_for_item(location)
+    try:
+        course = get_course_for_item(location)
+    except InvalidLocationError:
+        return HttpResponseBadRequest()
+
    if not has_access(request.user, course.location):
        raise PermissionDenied()

-    item = modulestore().get_item(location, depth=1)
+    try:
+        item = modulestore().get_item(location, depth=1)
+    except ItemNotFoundError:
+        return HttpResponseBadRequest()

    lms_link = get_lms_link_for_item(item.location, course_id=course.location.course_id)