Merge pull request #598 from coreos-inc/limitbadquery

Prevent unlimited insane query from running and fix tests

endpoints/api/repository.py

@@ -146,6 +146,10 @@ class RepositoryList(ApiResource):
       starred_repos = model.repository.get_user_starred_repositories(get_authenticated_user())
       star_lookup = set([repo.id for repo in starred_repos])
 
+    # If the user asked for only public repositories, limit to only public repos.
+    if public and (not namespace and not starred):
+      username = None
+
     # Find the matching repositories.
     repositories = model.repository.get_visible_repositories(username=username,
                                                              limit=limit,
@@ -177,6 +181,8 @@ class RepositoryList(ApiResource):
   def get(self, args):
     """ Fetch the list of repositories visible to the current user under a variety of situations.
     """
+    if not args['namespace'] and not args['starred'] and not args['public']:
+      raise InvalidRequest('namespace, starred or public are required for this API call')
 
     repositories, star_lookup = self._load_repositories(args['namespace'], args['public'],
                                                         args['starred'], args['limit'],

endpoints/v1/index.py

@@ -329,7 +329,8 @@ def get_search():
     username = user.username
 
   results = []
-  conduct_repo_search(username, query, results)
+  if query:
+    conduct_repo_search(username, query, results)
 
   data = {
     "query": query,

test/test_api_security.py

@@ -378,16 +378,16 @@ class TestRepositoryList(ApiTestCase):
     self._set_url(RepositoryList)
 
   def test_get_anonymous(self):
-    self._run_test('GET', 200, None, None)
+    self._run_test('GET', 400, None, None)
 
   def test_get_freshuser(self):
-    self._run_test('GET', 200, 'freshuser', None)
+    self._run_test('GET', 400, 'freshuser', None)
 
   def test_get_reader(self):
-    self._run_test('GET', 200, 'reader', None)
+    self._run_test('GET', 400, 'reader', None)
 
   def test_get_devtable(self):
-    self._run_test('GET', 200, 'devtable', None)
+    self._run_test('GET', 400, 'devtable', None)
 
   def test_post_anonymous(self):
     self._run_test('POST', 400, None, {u'visibility': u'public', u'repository': 'XZGB',

test/test_api_usage.py

@@ -1331,14 +1331,14 @@ class TestListRepos(ApiTestCase):
 
     self.assertEquals(len(json['repositories']), 1)
 
-  def test_listrepos_orgmember(self):
+  def test_listrepos_asorgmember(self):
     self.login(READ_ACCESS_USER)
 
     # Queries: Base + the list query
     with assert_query_count(BASE_LOGGEDIN_QUERY_COUNT + 1):
       json = self.getJsonResponse(RepositoryList, params=dict(public=True))
 
-    self.assertGreater(len(json['repositories']), 1)
+    self.assertGreater(len(json['repositories']), 0)
 
   def test_listrepos_filter(self):
     self.login(READ_ACCESS_USER)
@@ -1353,7 +1353,7 @@ class TestListRepos(ApiTestCase):
 
   def test_listrepos_limit(self):
     self.login(READ_ACCESS_USER)
-    json = self.getJsonResponse(RepositoryList, params=dict(limit=1))
+    json = self.getJsonResponse(RepositoryList, params=dict(limit=1, public=True))
     self.assertEquals(len(json['repositories']), 1)
 
   def test_listrepos_allparams(self):