Fix: fix some API crashes (#10196)

2025-07-30 18:27:45 -05:00 · 2025-06-16 22:44:39 -07:00
parent de12023311
commit e4fd008441
6 changed files with 124 additions and 7 deletions
--- a/src/documents/serialisers.py
+++ b/src/documents/serialisers.py
@@ -1189,7 +1189,6 @@ class SavedViewSerializer(OwnedObjectSerializer):
            "owner",
            "permissions",
            "user_can_change",
-            "set_permissions",
        ]

    def validate(self, attrs):
@@ -1754,6 +1753,8 @@ class StoragePathSerializer(MatchingModelSerializer, OwnedObjectSerializer):


 class UiSettingsViewSerializer(serializers.ModelSerializer):
+    settings = serializers.DictField(required=False, allow_null=True)
+
    class Meta:
        model = UiSettings
        depth = 1
@@ -2020,8 +2021,9 @@ class WorkflowTriggerSerializer(serializers.ModelSerializer):
        ):
            attrs["filter_path"] = None

+        trigger_type = attrs.get("type", getattr(self.instance, "type", None))
        if (
-            attrs["type"] == WorkflowTrigger.WorkflowTriggerType.CONSUMPTION
+            trigger_type == WorkflowTrigger.WorkflowTriggerType.CONSUMPTION
            and "filter_mailrule" not in attrs
            and ("filter_filename" not in attrs or attrs["filter_filename"] is None)
            and ("filter_path" not in attrs or attrs["filter_path"] is None)
--- a/src/documents/tests/test_api_app_config.py
+++ b/src/documents/tests/test_api_app_config.py
@@ -167,3 +167,25 @@ class TestApiAppConfig(DirectoriesMixin, APITestCase):
                },
            )
        self.assertFalse(Path(old_logo.path).exists())
+
+    def test_create_not_allowed(self):
+        """
+        GIVEN:
+            - API request to create a new app config
+        WHEN:
+            - API is called
+        THEN:
+            - Correct HTTP response
+            - No new config is created
+        """
+        response = self.client.post(
+            self.ENDPOINT,
+            json.dumps(
+                {
+                    "output_type": "pdf",
+                },
+            ),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, status.HTTP_405_METHOD_NOT_ALLOWED)
+        self.assertEqual(ApplicationConfiguration.objects.count(), 1)
--- a/src/documents/tests/test_api_uisettings.py
+++ b/src/documents/tests/test_api_uisettings.py
@@ -117,6 +117,30 @@ class TestApiUiSettings(DirectoriesMixin, APITestCase):

        self.assertEqual(response.status_code, status.HTTP_200_OK)

+    def test_settings_must_be_dict(self):
+        """
+        GIVEN:
+            - API request to update ui_settings with settings not being a dict
+        WHEN:
+            - API is called
+        THEN:
+            - Correct HTTP 400 response
+        """
+        response = self.client.post(
+            self.ENDPOINT,
+            json.dumps(
+                {
+                    "settings": "not a dict",
+                },
+            ),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+        self.assertIn(
+            "Expected a dictionary",
+            str(response.data["settings"]),
+        )
+
    @override_settings(
        OAUTH_CALLBACK_BASE_URL="http://localhost:8000",
        GMAIL_OAUTH_CLIENT_ID="abc123",