Project

General

Profile

Bug #14381 » master.patch

master/3.0 patch - David Davis, 04/11/2016 01:39 PM

View differences:

app/controllers/katello/api/v2/api_controller.rb
sort_attr = params[:sort_by] || default_sort_by
if sort_attr
sort_attr = "#{query.table_name}.#{sort_attr}" unless sort_attr.to_s.include?('.')
query = query.order("#{sort_attr} #{params[:sort_order] || default_sort_order}")
sort_order = (params[:sort_order] || default_sort_order).to_s.downcase
sort_order = default_sort_order unless ['desc', 'asc'].include?(sort_order)
query = query.order(sort_attr => sort_order.to_sym)
elsif options[:custom_sort]
query = options[:custom_sort].call(query)
end
test/controllers/api/v2/api_controller_test.rb
# encoding: utf-8
require "katello_test_helper"
module Katello
class Api::V2::ApiControllerTest < ActionController::TestCase
def setup
@controller = Katello::Api::V2::ApiController.new
@errata = katello_errata
end
def test_scoped_search_order
params = {:sort_by => "errata_id", :sort_order => "DESC'"} # sql injection
@controller.stubs(:params).returns(params)
query = Erratum.all
options = {resource_class: Katello::Erratum}
results = @controller.scoped_search(query, "errata_id", "asc", options)[:results]
assert_equal ["RHBA-2014-013", "RHEA-2014-111", "RHSA-1999-1231"], results.map(&:errata_id)
end
end
end
(4-4/4)