add input validation to positions api

ceod/api/positions.py

@@ -4,7 +4,7 @@ from zope import component
 
 from ceod.transactions.members import UpdateMemberPositionsTransaction
 from .utils import authz_restrict_to_syscom, requires_authentication_no_realm, create_streaming_response
-from ceo_common.interfaces import ILDAPService
+from ceo_common.interfaces import ILDAPService, IConfig
 
 bp = Blueprint('positions', __name__)
 
@@ -13,10 +13,8 @@ bp = Blueprint('positions', __name__)
 def get_positions(auth_user: str):
     ldap_srv = component.getUtility(ILDAPService)
 
-    users = ldap_srv.get_users_with_positions()
-
     positions = {}
-    for user in users:
+    for user in ldap_srv.get_users_with_positions():
         for position in user.positions:
             positions[position] = user.uid
 
@@ -25,8 +23,23 @@ def get_positions(auth_user: str):
 @bp.route('/', methods=['POST'])
 @authz_restrict_to_syscom
 def update_positions():
+    cfg = component.getUtility(IConfig)
     body = request.get_json(force=True)
-    # TODO verify json
+
+    required = cfg.get('auxiliary positions_required')
+    available = cfg.get('auxiliary positions_available')
+
+    for position in body.keys():
+        if position not in available:
+            return {
+                'error': f'unknown position: {position}'
+            }, 404
+
+    for position in required:
+        if position not in body:
+            return {
+                'error': f'missing required position: {position}'
+            }, 400
 
     txn = UpdateMemberPositionsTransaction(body)
     return create_streaming_response(txn)

tests/ceod_dev.ini

@@ -52,3 +52,7 @@ office = cdrom,audio,video,www
 [auxiliary mailing lists]
 syscom = syscom,syscom-alerts
 exec = exec
+
+[auxiliary positions]
+required = president,vice-president,sysadmin
+available = president,vice-president,treasurer,secretary,sysadmin,cro,librarian,imapd,webmaster,offsck