API: Do not crash if invalid data type is given for name_parts

2023-01-02 10:17:00 +01:00
parent d3698b3e2f
commit ddbe38ca53
3 changed files with 27 additions and 0 deletions
--- a/src/pretix/api/serializers/order.py
+++ b/src/pretix/api/serializers/order.py
@@ -118,6 +118,10 @@ class InvoiceAddressSerializer(I18nAwareModelSerializer):
            raise ValidationError(
                {'name': ['Do not specify name if you specified name_parts.']}
            )
+
+        if data.get('name_parts') and not isinstance(data.get('name_parts'), dict):
+            raise ValidationError({'name_parts': ['Invalid data type']})
+
        if data.get('name_parts') and '_scheme' not in data.get('name_parts'):
            data['name_parts']['_scheme'] = self.context['request'].event.settings.name_scheme

@@ -841,6 +845,10 @@ class OrderPositionCreateSerializer(I18nAwareModelSerializer):
            raise ValidationError(
                {'attendee_name': ['Do not specify attendee_name if you specified attendee_name_parts.']}
            )
+
+        if data.get('attendee_name_parts') and not isinstance(data.get('attendee_name_parts'), dict):
+            raise ValidationError({'attendee_name_parts': ['Invalid data type']})
+
        if data.get('attendee_name_parts') and '_scheme' not in data.get('attendee_name_parts'):
            data['attendee_name_parts']['_scheme'] = self.context['request'].event.settings.name_scheme

--- a/src/pretix/api/serializers/organizer.py
+++ b/src/pretix/api/serializers/organizer.py
@@ -79,6 +79,13 @@ class CustomerSerializer(I18nAwareModelSerializer):
            validated_data['external_identifier'] = instance.external_identifier
        return super().update(instance, validated_data)

+    def validate(self, data):
+        if data.get('name_parts') and not isinstance(data.get('name_parts'), dict):
+            raise ValidationError({'name_parts': ['Invalid data type']})
+        if data.get('name_parts') and '_scheme' not in data.get('name_parts'):
+            data['name_parts']['_scheme'] = self.context['request'].organizer.settings.name_scheme
+        return data
+

 class CustomerCreateSerializer(CustomerSerializer):
    send_email = serializers.BooleanField(default=False, required=False, allow_null=True)
--- a/src/tests/api/test_customers.py
+++ b/src/tests/api/test_customers.py
@@ -179,3 +179,15 @@ def test_customer_delete(token_client, organizer, customer):
        '/api/v1/organizers/{}/customers/{}/'.format(organizer.slug, customer.identifier),
    )
    assert resp.status_code == 405
+
+
+@pytest.mark.django_db
+def test_customer_patch_invalid_name(token_client, organizer, customer):
+    resp = token_client.patch(
+        '/api/v1/organizers/{}/customers/{}/'.format(organizer.slug, customer.identifier),
+        format='json',
+        data={
+            'name_parts': 'should be a dictionary',
+        }
+    )
+    assert resp.status_code == 400