From 8e6de2790ea0d5ec619fdca582bbf9a56506755c Mon Sep 17 00:00:00 2001
From: shamoon <4887959+shamoon@users.noreply.github.com>
Date: Fri, 3 Jan 2025 15:16:00 -0800
Subject: [PATCH] Fix: do not accept empty string for doc link value via API
 (#8596)

---
 src/documents/serialisers.py                  |  4 ++++
 src/documents/tests/test_api_custom_fields.py | 14 ++++++++++++++
 2 files changed, 18 insertions(+)

diff --git a/src/documents/serialisers.py b/src/documents/serialisers.py
index 31871a3ad..e051e00d6 100644
--- a/src/documents/serialisers.py
+++ b/src/documents/serialisers.py
@@ -668,6 +668,10 @@ class CustomFieldInstanceSerializer(serializers.ModelSerializer):
                         f"Value must be an id of an element in {select_options}",
                     )
             elif field.data_type == CustomField.FieldDataType.DOCUMENTLINK:
+                if not (isinstance(data["value"], list) or data["value"] is None):
+                    raise serializers.ValidationError(
+                        "Value must be a list",
+                    )
                 doc_ids = data["value"]
                 if Document.objects.filter(id__in=doc_ids).count() != len(
                     data["value"],
diff --git a/src/documents/tests/test_api_custom_fields.py b/src/documents/tests/test_api_custom_fields.py
index 11911f6ab..8c809429f 100644
--- a/src/documents/tests/test_api_custom_fields.py
+++ b/src/documents/tests/test_api_custom_fields.py
@@ -886,6 +886,7 @@ class TestCustomFieldsAPI(DirectoriesMixin, APITestCase):
             - Document & custom field exist
         WHEN:
             - API request to set a field value to a document that does not exist
+            - API request to set a field value to empty string
         THEN:
             - HTTP 400 is returned
             - No field instance is created or attached to the document
@@ -916,6 +917,19 @@ class TestCustomFieldsAPI(DirectoriesMixin, APITestCase):
         self.assertEqual(CustomFieldInstance.objects.count(), 0)
         self.assertEqual(len(doc.custom_fields.all()), 0)
 
+        resp = self.client.patch(
+            f"/api/documents/{doc.id}/",
+            data={
+                "custom_fields": [
+                    {"field": custom_field_documentlink.id, "value": ""},
+                ],
+            },
+            format="json",
+        )
+
+        self.assertEqual(resp.status_code, status.HTTP_400_BAD_REQUEST)
+        self.assertEqual(CustomFieldInstance.objects.count(), 0)
+
     def test_custom_field_not_null(self):
         """
         GIVEN: