From 08c4bf2e3655ee44d46b531702153425991a5415 Mon Sep 17 00:00:00 2001
From: Rio6 <rio.liu@r26.me>
Date: Wed, 18 Aug 2021 16:52:47 -0400
Subject: [PATCH] add input validation to positions api

---
 ceod/api/positions.py | 23 ++++++++++++++++++-----
 tests/ceod_dev.ini    |  4 ++++
 2 files changed, 22 insertions(+), 5 deletions(-)

diff --git a/ceod/api/positions.py b/ceod/api/positions.py
index 812ec80..46fdf8e 100644
--- a/ceod/api/positions.py
+++ b/ceod/api/positions.py
@@ -4,7 +4,7 @@ from zope import component
 
 from ceod.transactions.members import UpdateMemberPositionsTransaction
 from .utils import authz_restrict_to_syscom, requires_authentication_no_realm, create_streaming_response
-from ceo_common.interfaces import ILDAPService
+from ceo_common.interfaces import ILDAPService, IConfig
 
 bp = Blueprint('positions', __name__)
 
@@ -13,10 +13,8 @@ bp = Blueprint('positions', __name__)
 def get_positions(auth_user: str):
     ldap_srv = component.getUtility(ILDAPService)
 
-    users = ldap_srv.get_users_with_positions()
-
     positions = {}
-    for user in users:
+    for user in ldap_srv.get_users_with_positions():
         for position in user.positions:
             positions[position] = user.uid
 
@@ -25,8 +23,23 @@ def get_positions(auth_user: str):
 @bp.route('/', methods=['POST'])
 @authz_restrict_to_syscom
 def update_positions():
+    cfg = component.getUtility(IConfig)
     body = request.get_json(force=True)
-    # TODO verify json
+
+    required = cfg.get('auxiliary positions_required')
+    available = cfg.get('auxiliary positions_available')
+
+    for position in body.keys():
+        if position not in available:
+            return {
+                'error': f'unknown position: {position}'
+            }, 404
+
+    for position in required:
+        if position not in body:
+            return {
+                'error': f'missing required position: {position}'
+            }, 400
 
     txn = UpdateMemberPositionsTransaction(body)
     return create_streaming_response(txn)
diff --git a/tests/ceod_dev.ini b/tests/ceod_dev.ini
index 6e7fd38..8527421 100644
--- a/tests/ceod_dev.ini
+++ b/tests/ceod_dev.ini
@@ -52,3 +52,7 @@ office = cdrom,audio,video,www
 [auxiliary mailing lists]
 syscom = syscom,syscom-alerts
 exec = exec
+
+[auxiliary positions]
+required = president,vice-president,sysadmin
+available = president,vice-president,treasurer,secretary,sysadmin,cro,librarian,imapd,webmaster,offsck