@validate pollutes keyword args
6 views
Skip to first unread message
Laurie
Dec 13, 2007, 7:15:03 PM12/13/07
to TurboGears, lau...@holoweb.net
I'm new to TurboGears so perhaps this is expected, but it took me a
while to figure out what was going wrong. Basically, whenever I add
@validation to a controller method, the method's keyword arguments
seem to get 'augmented'. This is leading to data corruption as
database columns get overwritten with defaul/empty values.
Here's some minimal sample code to demonstrate what I've been doing:
class Test(SQLObject):
name =
StringCol(length=128,varchar=True,alternateID=True,unique=True,notNone=True)
description = StringCol(varchar=False)
class TestController(controllers.Controller):
class CreateValidation(validators.Schema):
name = validators.String(not_empty=True)
description = validators.String(not_empty=True)
class UpdateValidation(validators.Schema):
description = validators.String()
@expose("json")
def index(self):
return {'items': Test.select()}
@expose("json")
def default(self, id, **kw):
return self.update(id, **kw)
@expose("json")
@validate(validators=CreateValidation())
def create(self, **kw):
obj = Test(name=kw['name'], description=kw['description'])
return {'item': obj}
@validate(validators=UpdateValidation())
def update(self, id, **kw):
obj = Test.byName(id)
for k in kw.keys():
print 'setting %s=%s' % (k, kw[k])
setattr(obj, k, kw[k])
return {'item': obj}
class Root(controllers.RootController):
test = TestController()
The idea is I should be able to submit a request like
http://.../test/item1?description=something
Of course, in a real world example, there would be more fields in my
model, so I want to only update those fields that are specified in the
request.
Everything works well until I add the @validation. Now, if I submit
the above URL without the description parameter, I still get a
'description' entry in the kw dict, with an empty string value. As a
result, the description gets blanked out.
Is this intended? Is validation doing something it shouldn't be, or am
I using it incorrectly? Is there a different pattern I should be using
to write my update() method to avoid this?
Any advice greatfully received!
L.
while to figure out what was going wrong. Basically, whenever I add
@validation to a controller method, the method's keyword arguments
seem to get 'augmented'. This is leading to data corruption as
database columns get overwritten with defaul/empty values.
Here's some minimal sample code to demonstrate what I've been doing:
class Test(SQLObject):
name =
StringCol(length=128,varchar=True,alternateID=True,unique=True,notNone=True)
description = StringCol(varchar=False)
class TestController(controllers.Controller):
class CreateValidation(validators.Schema):
name = validators.String(not_empty=True)
description = validators.String(not_empty=True)
class UpdateValidation(validators.Schema):
description = validators.String()
@expose("json")
def index(self):
return {'items': Test.select()}
@expose("json")
def default(self, id, **kw):
return self.update(id, **kw)
@expose("json")
@validate(validators=CreateValidation())
def create(self, **kw):
obj = Test(name=kw['name'], description=kw['description'])
return {'item': obj}
@validate(validators=UpdateValidation())
def update(self, id, **kw):
obj = Test.byName(id)
for k in kw.keys():
print 'setting %s=%s' % (k, kw[k])
setattr(obj, k, kw[k])
return {'item': obj}
class Root(controllers.RootController):
test = TestController()
The idea is I should be able to submit a request like
http://.../test/item1?description=something
Of course, in a real world example, there would be more fields in my
model, so I want to only update those fields that are specified in the
request.
Everything works well until I add the @validation. Now, if I submit
the above URL without the description parameter, I still get a
'description' entry in the kw dict, with an empty string value. As a
result, the description gets blanked out.
Is this intended? Is validation doing something it shouldn't be, or am
I using it incorrectly? Is there a different pattern I should be using
to write my update() method to avoid this?
Any advice greatfully received!
L.
Ben Sizer
Dec 14, 2007, 9:07:52 AM12/14/07
to TurboGears
On Dec 14, 12:15 am, Laurie <laurie.harper...@gmail.com> wrote:
> I'm new to TurboGears so perhaps this is expected, but it took me a
> while to figure out what was going wrong. Basically, whenever I add
> @validation to a controller method, the method's keyword arguments
> seem to get 'augmented'. This is leading to data corruption as
> database columns get overwritten with defaul/empty values.
Since the keyword arguments are based on user input, I would say that
> I'm new to TurboGears so perhaps this is expected, but it took me a
> while to figure out what was going wrong. Basically, whenever I add
> @validation to a controller method, the method's keyword arguments
> seem to get 'augmented'. This is leading to data corruption as
> database columns get overwritten with defaul/empty values.
basically you should never be trusting it when it comes to which
columns in the database to edit. This is a heavily wrapped, heavily
abstracted version of SQL injection attacks. If this is an internal
app with no malicious or incompetent users then I can see why you
might want to do it this way, however.
But, if the validator is actually adding a keyword argument, it makes
me wonder what would happen if you explicitly defined that keyword
argument for some other purpose. Maybe someone else can shed some
light on the matter.
--
Ben Sizer
Barry Hart
Dec 14, 2007, 9:18:32 AM12/14/07
to turbo...@googlegroups.com
Try this:
description = validators.String(if_empty=None)
You will still see a description argument if it's missing from the URL, but it'll be None, which is easier to detect.
Alternatively, if all your parameters are strings, you don't even have to use validation. Just declare your controller method to take **kw.
Barry
description = validators.String(if_empty=None)
You will still see a description argument if it's missing from the URL, but it'll be None, which is easier to detect.
Alternatively, if all your parameters are strings, you don't even have to use validation. Just declare your controller method to take **kw.
Barry
----- Original Message ----
From: Laurie <laurie.h...@gmail.com>
To: TurboGears <turbo...@googlegroups.com>
Cc: lau...@holoweb.net
Sent: Thursday, December 13, 2007 7:15:03 PM
Subject: [TurboGears] @validate pollutes keyword args
I'm new to TurboGears so perhaps this is expected, but it took me a
while to figure out what was going wrong. Basically, whenever I add
@validation to a controller method, the method's keyword arguments
seem to get 'augmented'. This is leading to data corruption as
database columns get overwritten with defaul/empty values.
From: Laurie <laurie.h...@gmail.com>
To: TurboGears <turbo...@googlegroups.com>
Cc: lau...@holoweb.net
Sent: Thursday, December 13, 2007 7:15:03 PM
Subject: [TurboGears] @validate pollutes keyword args
I'm new to TurboGears so perhaps this is expected, but it took me a
while to figure out what was going wrong. Basically, whenever I add
@validation to a controller method, the method's keyword arguments
seem to get 'augmented'. This is leading to data corruption as
database columns get overwritten with defaul/empty values.
Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.
Reply all
Reply to author
Forward
0 new messages