fix: only query OEmbed map on id and fallback to 404

This commit is contained in:
David Larlet 2024-02-12 21:14:21 -05:00
parent 9426570b6e
commit cf319ca53e
No known key found for this signature in database
GPG key ID: 3E2953A359E7E7BD
2 changed files with 10 additions and 1 deletions

View file

@ -775,6 +775,15 @@ def test_oembed_no_url_map(client, map, datalayer):
assert response.status_code == 404 assert response.status_code == 404
def test_oembed_unknown_url_map(client, map, datalayer):
map_url = f"http://testserver{map.get_absolute_url()}"
# We change to an unknown id prefix to keep URL structure.
map_url = map_url.replace("map_", "_111")
url = f"{reverse('map_oembed')}?url={map_url}"
response = client.get(url)
assert response.status_code == 404
def test_oembed_wrong_format_map(client, map, datalayer): def test_oembed_wrong_format_map(client, map, datalayer):
url = ( url = (
f"{reverse('map_oembed')}" f"{reverse('map_oembed')}"

View file

@ -695,7 +695,7 @@ class MapOEmbed(View):
if "slug" not in kwargs or "map_id" not in kwargs: if "slug" not in kwargs or "map_id" not in kwargs:
raise Http404("Invalid URL path.") raise Http404("Invalid URL path.")
map_ = Map.objects.get(id=kwargs["map_id"], slug=kwargs["slug"]) map_ = get_object_or_404(Map, id=kwargs["map_id"])
if map_.share_status != Map.PUBLIC: if map_.share_status != Map.PUBLIC:
raise PermissionDenied("This map is not public.") raise PermissionDenied("This map is not public.")