From eefa5fb5236b711c9717c222b48fb21ed6636176 Mon Sep 17 00:00:00 2001 From: Simon Willison Date: Tue, 11 May 2021 12:44:49 -0700 Subject: [PATCH] Don't persist _save- cruft in query_string, closes #104 --- django_sql_dashboard/views.py | 1 + test_project/test_dashboard.py | 18 ++++++++++++++++-- 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/django_sql_dashboard/views.py b/django_sql_dashboard/views.py index 553bd9d..4ad5075 100644 --- a/django_sql_dashboard/views.py +++ b/django_sql_dashboard/views.py @@ -86,6 +86,7 @@ def dashboard_index(request): (key, value) for key, value in request.POST.items() if key not in ("sql", "csrfmiddlewaretoken") + and not key.startswith("_save-") ] signed_sqls = [sign_sql(sql) for sql in sqls if sql.strip()] params = { diff --git a/test_project/test_dashboard.py b/test_project/test_dashboard.py index c1126f7..b2f878a 100644 --- a/test_project/test_dashboard.py +++ b/test_project/test_dashboard.py @@ -15,10 +15,24 @@ def test_dashboard_submit_sql(admin_client, dashboard_db): assert get_response.status_code == 200 assert get_response["Content-Security-Policy"] == "frame-ancestors 'self'" sql = "select 14 + 33" - response = admin_client.post("/dashboard/", {"sql": sql}) + response = admin_client.post( + "/dashboard/", + { + "sql": sql, + "_save-title": "", + "_save-slug": "", + "_save-description": "", + "_save-view_policy": "private", + "_save-view_group": "", + "_save-edit_policy": "private", + "_save-edit_group": "", + }, + ) assert response.status_code == 302 # Should redirect to ?sql=signed-value - signed_sql = urllib.parse.parse_qs(response.url.split("?")[1])["sql"][0] + bits = urllib.parse.parse_qs(response.url.split("?")[1]) + assert set(bits.keys()) == {"sql"} + signed_sql = bits["sql"][0] assert signed_sql == sign_sql(sql) # GET against this new location should return correct result get_response = admin_client.get(response.url)