Bug #14381 » master.patch
app/controllers/katello/api/v2/api_controller.rb | ||
---|---|---|
sort_attr = params[:sort_by] || default_sort_by
|
||
if sort_attr
|
||
sort_attr = "#{query.table_name}.#{sort_attr}" unless sort_attr.to_s.include?('.')
|
||
query = query.order("#{sort_attr} #{params[:sort_order] || default_sort_order}")
|
||
sort_order = (params[:sort_order] || default_sort_order).to_s.downcase
|
||
sort_order = default_sort_order unless ['desc', 'asc'].include?(sort_order)
|
||
query = query.order(sort_attr => sort_order.to_sym)
|
||
elsif options[:custom_sort]
|
||
query = options[:custom_sort].call(query)
|
||
end
|
test/controllers/api/v2/api_controller_test.rb | ||
---|---|---|
# encoding: utf-8
|
||
require "katello_test_helper"
|
||
module Katello
|
||
class Api::V2::ApiControllerTest < ActionController::TestCase
|
||
def setup
|
||
@controller = Katello::Api::V2::ApiController.new
|
||
@errata = katello_errata
|
||
end
|
||
def test_scoped_search_order
|
||
params = {:sort_by => "errata_id", :sort_order => "DESC'"} # sql injection
|
||
@controller.stubs(:params).returns(params)
|
||
query = Erratum.all
|
||
options = {resource_class: Katello::Erratum}
|
||
results = @controller.scoped_search(query, "errata_id", "asc", options)[:results]
|
||
assert_equal ["RHBA-2014-013", "RHEA-2014-111", "RHSA-1999-1231"], results.map(&:errata_id)
|
||
end
|
||
end
|
||
end
|
- « Previous
- 1
- 2
- 3
- 4
- Next »