Merge pull request #361 from Pet-projects-CodePET/refactor/validate_f…

…ields fix: Внес изменения:
Pet-projects-CodePET · Aug 2, 2024 · 4d308e9 · 4d308e9
2 parents ca5bd73 + 71a7929
commit 4d308e9
Show file tree

Hide file tree

Showing 10 changed files with 82 additions and 30 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -45,7 +45,7 @@ repos:
         - id: pytest
           name: pytest
           description: 'Run tests with pytest'
-          entry: bash -c 'cd src/backend/; poetry run pytest -vv'
+          entry: 'poetry run pytest -vv'
           language: python
           types: [ python ]
           require_serial: true

diff --git a/pyproject.toml b/pyproject.toml
@@ -59,7 +59,7 @@ extend-exclude = """
 """
 
 [tool.pytest.ini_options]
-pythonpath = "scr/backend"
+pythonpath = "src/backend"
 DJANGO_SETTINGS_MODULE= "config.settings.local"
 testpaths = ["tests",]
 python_files = ['test_*.py', ]
diff --git a/src/backend/api/v1/profile/serializers.py b/src/backend/api/v1/profile/serializers.py
@@ -1,5 +1,7 @@
+import html
 from typing import ClassVar, Optional
 
+import bleach
 from django.core.validators import RegexValidator
 from django.db.models import Q
 from rest_framework import serializers
@@ -224,6 +226,11 @@ class Meta(BaseProfileSerializer.Meta):
         )
         read_only_fields = fields
 
+    def to_representation(self, instance):
+        rep = super().to_representation(instance)
+        rep["about"] = html.unescape(rep["about"])
+        return rep
+
 
 class ProfileMeWriteSerializer(ProfileMeReadSerializer):
     """Сериализатор для обновления профиля его владельцем."""
@@ -244,3 +251,12 @@ class ProfileMeWriteSerializer(ProfileMeReadSerializer):
 
     class Meta(ProfileMeReadSerializer.Meta):
         read_only_fields = ("user_id", "specialists")
+
+    def validate_about(self, value):
+        """
+        Метод валидации и защиты от потенциально вредоносных
+        HTML-тегов и атрибутов.
+        """
+
+        safe_about = bleach.clean(value)
+        return safe_about
diff --git a/src/backend/api/v1/projects/serializers.py b/src/backend/api/v1/projects/serializers.py
@@ -90,22 +90,10 @@ class Meta:
             "project_specialists",
             "status",
         )
-
-    def _get_base_fields(self):
-        """Метод получения полей создателя и владельца."""
-
-        return {
-            "creator": serializers.SlugRelatedField(
-                slug_field="username", read_only=True
-            ),
-        }
-
-    def get_fields(self):
-        """метод получения полей сериализатора."""
-
-        fields = super().get_fields()
-        fields.update(self._get_base_fields())
-        return fields
+        read_only_fields: ClassVar[Tuple[str, ...]] = (
+            "creator",
+            "owner",
+        )
 
 
 class ReadParticipantSerializer(CustomModelSerializer):
@@ -140,6 +128,9 @@ class ReadProjectSerializer(RecruitmentStatusMixin, BaseProjectSerializer):
     recruitment_status = serializers.SerializerMethodField()
     is_favorite = serializers.SerializerMethodField(read_only=True)
     owner = serializers.SerializerMethodField()
+    creator = serializers.SlugRelatedField(
+        slug_field="username", read_only=True
+    )
     project_participants = ReadParticipantSerializer(many=True)
     unique_project_participants_skills = serializers.SerializerMethodField()
 
@@ -158,9 +149,10 @@ def get_is_favorite(self, project) -> bool:
         В противном случе возвращает False.
         Для неавторизованных пользователей всегда возвращает False.
         """
-        user = self.context["request"].user
-        if user.is_authenticated:
-            return project.favorited_by.filter(id=user.id).exists()
+        request = self.context.get("request", None)
+        if user := getattr(request, "user", None):
+            if user.is_authenticated:
+                return project.favorited_by.filter(id=user.id).exists()
         return False
 
     def get_owner(self, project):
@@ -184,6 +176,11 @@ def get_unique_project_participants_skills(self, obj):
         )
         return list(set(all_skills))
 
+    def to_representation(self, instance):
+        rep = super().to_representation(instance)
+        rep["description"] = html.unescape(rep["description"])
+        return rep
+
 
 class WriteProjectSerializer(
     ToRepresentationOnlyIdMixin,
@@ -202,7 +199,6 @@ class Meta(BaseProjectSerializer.Meta):
             "ended": {"required": True},
             "busyness": {"required": True},
             "status": {"required": False},
-            "owner": {"required": False},
         }
 
     def validate_status(self, value) -> int:
@@ -214,6 +210,15 @@ def validate_status(self, value) -> int:
             )
         return value
 
+    def validate_description(self, value):
+        """
+        Метод валидации и защиты от потенциально вредоносных
+        HTML-тегов и атрибутов.
+        """
+
+        safe_description = bleach.clean(value)
+        return safe_description
+
 
 class ShortProjectSpecialistSerializer(BaseProjectSpecialistSerializer):
     """Сериализатор для чтения специалиста необходимого проекту краткий."""
@@ -465,9 +470,9 @@ class ReadRetrieveParticipationRequestSerializer(
     class Meta(ReadListParticipationRequestSerializer.Meta):
         fields: ClassVar[Tuple[str, ...]] = (
             *ReadListParticipationRequestSerializer.Meta.fields,
-            "answer",
-            "cover_letter",
-            "created",
+            "answer",  # какая-то дичь происходит, зачем нам тут видеть и ответ
+            "cover_letter",  # и сопроводительное письмо не понимаю,
+            "created",  # не хочу разбираться сейчас.
         )
 
     def to_representation(self, instance):
@@ -545,6 +550,11 @@ class Meta(ReadRetrieveParticipationRequestSerializer.Meta):
             "author",
         )
 
+    def to_representation(self, instance):
+        rep = super().to_representation(instance)
+        rep["cover_letter"] = html.unescape(rep["cover_letter"])
+        return rep
+
 
 class WriteInvitationToProjectSerializer(
     ToRepresentationOnlyIdMixin, BaseParticipationRequestSerializer
@@ -591,6 +601,12 @@ def validate(self, attrs) -> OrderedDict:
             raise serializers.ValidationError(errors)
         return attrs
 
+    def validate_cover_letter(self, value):
+        escaped_html = bleach.clean(
+            value
+        )  # защита потенциально вредоносных HTML-тегов и атрибутов
+        return escaped_html
+
 
 class PartialWriteInvitationToProjectSerializer(
     CustomModelSerializer, ToRepresentationOnlyIdMixin

diff --git a/src/backend/api/v1/projects/views.py b/src/backend/api/v1/projects/views.py
@@ -135,7 +135,6 @@ def perform_create(self, serializer):
         """
         Метод подготовки данных для процесса предварительного создания проекта.
         """
-
         serializer.save(
             creator=self.request.user,
             owner=self.request.user,

diff --git a/src/backend/tests/conftest.py b/src/backend/tests/conftest.py
@@ -14,3 +14,11 @@ def user(django_user_model):
 def user_client(user, client):
     client.force_login(user)
     return client
+
+
+@pytest.fixture
+def profile(user):
+    profile = user.profile
+    profile.name = "profile_name"
+    profile.save()
+    return profile
diff --git a/src/backend/tests/profile/conftest.py b/src/backend/tests/profile/conftest.py
@@ -4,7 +4,8 @@
 
 
 @pytest.fixture
-def profile(user):
+def profile_new(user):
+    """Профайл с незаполненной информацией"""
     return user.profile
 
 

diff --git a/src/backend/tests/profile/test_model.py b/src/backend/tests/profile/test_model.py
@@ -19,10 +19,10 @@ def test_create_profile_with_user():
 
 
 @pytest.mark.django_db
-def test_update_profiles_data(profile, update_data):
+def test_update_profiles_data(profile_new, update_data):
     """Тест обновления информации в профиле"""
     assert Profile.objects.filter(**update_data).count() == 0
     for field, value in update_data.items():
-        setattr(profile, field, value)
-    profile.save()
+        setattr(profile_new, field, value)
+    profile_new.save()
     assert Profile.objects.filter(**update_data).count() == 1
diff --git a/src/backend/tests/projects/test_model.py → src/backend/tests/projects/test_models.py b/src/backend/tests/projects/test_model.py → src/backend/tests/projects/test_models.py
diff --git a/src/backend/tests/projects/test_serializers.py b/src/backend/tests/projects/test_serializers.py
@@ -0,0 +1,12 @@
+from api.v1.projects.serializers import ReadProjectSerializer
+
+
+def test_owner_field(profile, project):
+    valid_data = {
+        "id": profile.user.id,
+        "username": profile.user.username,
+        "name": profile.name,
+        "avatar": (profile.avatar.url if profile.avatar else None),
+    }
+    serializer = ReadProjectSerializer(instance=project)
+    assert serializer.data["owner"] == valid_data