diff --git a/CHANGELOG.md b/CHANGELOG.md index c8088a54..f237c46b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,7 @@ All notable changes to this project will be documented in this file. ### Bug Fixes - Fix hc.api.views.ping to handle non-utf8 data in request body (#574) +- Fix a crash when hc.api.views.pause receives a single integer in request body ## v1.23.1 - 2021-10-13 diff --git a/hc/api/decorators.py b/hc/api/decorators.py index 09885067..c3a41034 100644 --- a/hc/api/decorators.py +++ b/hc/api/decorators.py @@ -61,12 +61,12 @@ def authorize_read(f): return wrapper -def validate_json(schema=None): +def validate_json(schema={"type": "object"}): """ Parse request json and validate it against `schema`. Put the parsed result in `request.json`. - If schema is None then only parse and don't validate. - Supports a limited subset of JSON schema spec. + If schema is None then only parse and check if the root + element is a dict. Supports a limited subset of JSON schema spec. """ @@ -81,11 +81,10 @@ def validate_json(schema=None): else: request.json = {} - if schema: - try: - validate(request.json, schema) - except ValidationError as e: - return error("json validation error: %s" % e) + try: + validate(request.json, schema) + except ValidationError as e: + return error("json validation error: %s" % e) return f(request, *args, **kwds) diff --git a/hc/api/tests/test_pause.py b/hc/api/tests/test_pause.py index 85e980e8..ffe0d112 100644 --- a/hc/api/tests/test_pause.py +++ b/hc/api/tests/test_pause.py @@ -94,3 +94,10 @@ class PauseTestCase(BaseTestCase): self.profile.refresh_from_db() self.assertIsNone(self.profile.next_nag_date) + + def test_it_rejects_non_dict_post_body(self): + r = self.csrf_client.post(self.url, "123", content_type="application/json") + self.assertEqual(r.status_code, 400) + self.assertEqual( + r.json()["error"], "json validation error: value is not an object" + )