From 4a338deb9343a0e542932684dc6ec482b7ef2692 Mon Sep 17 00:00:00 2001
From: Todd Dembrey <todd.dembrey@torchbox.com>
Date: Thu, 28 Feb 2019 12:54:10 +0000
Subject: [PATCH] GH-859: Handle incorrectly configured urls

---
 opentech/apply/determinations/tests/test_views.py | 13 +++++++++++++
 opentech/apply/determinations/views.py            | 13 +++++++++++--
 2 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/opentech/apply/determinations/tests/test_views.py b/opentech/apply/determinations/tests/test_views.py
index 062e9f6f3..01a61dbdb 100644
--- a/opentech/apply/determinations/tests/test_views.py
+++ b/opentech/apply/determinations/tests/test_views.py
@@ -123,6 +123,19 @@ class BatchDeterminationTestCase(BaseViewTestCase):
     url_name = 'funds:submissions:determinations:{}'
     base_view_name = 'batch'
 
+    def test_cant_access_without_submissions(self):
+        url = self.url(None) + '?action=rejected'
+        response = self.client.get(url, follow=True, secure=True)
+        self.assertRedirects(response, self.url_from_pattern('apply:submissions:list'))
+        self.assertEqual(len(response.context['messages']), 1)
+
+    def test_cant_access_without_action(self):
+        submission = ApplicationSubmissionFactory()
+        url = self.url(None) + '?submissions=' + str(submission.id)
+        response = self.client.get(url, follow=True, secure=True)
+        self.assertRedirects(response, self.url_from_pattern('apply:submissions:list'))
+        self.assertEqual(len(response.context['messages']), 1)
+
     def test_can_submit_batch_determination(self):
         submissions = ApplicationSubmissionFactory.create_batch(4)
 
diff --git a/opentech/apply/determinations/views.py b/opentech/apply/determinations/views.py
index 373812be3..7055211ee 100644
--- a/opentech/apply/determinations/views.py
+++ b/opentech/apply/determinations/views.py
@@ -56,15 +56,24 @@ def get_form_for_stage(submission, batch=False):
 class BatchDeterminationCreateView(CreateView):
     template_name = 'determinations/batch_determination_form.html'
 
+    def dispatch(self, *args, **kwargs):
+        if not self.get_action() or not self.get_submissions():
+            messages.warning(self.request, 'Improperly configured request, please try again.')
+            return HttpResponseRedirect(self.get_success_url())
+        return super().dispatch(*args, **kwargs)
+
     def get_action(self):
         return self.request.GET.get('action', '')
 
     def get_submissions(self):
-        submission_ids = self.request.GET.get('submissions').split(',')
+        try:
+            submission_ids = self.request.GET.get('submissions').split(',')
+        except AttributeError:
+            return None
         try:
             ids = [int(pk) for pk in submission_ids]
         except ValueError:
-            ids = []
+            return None
         return ApplicationSubmission.objects.filter(id__in=ids)
 
     def get_form_kwargs(self):
-- 
GitLab