Validate filename and object_name for TO PDF upload

2019-08-09 15:40:15 -04:00 · 2019-08-09 15:40:15 -04:00 · 71bb1be130
commit 71bb1be130
parent 3ecb2cf84f
2 changed files with 45 additions and 3 deletions
--- a/atst/forms/task_order.py
+++ b/atst/forms/task_order.py
@ -7,7 +7,7 @@ from wtforms.fields import (
    HiddenField,
 )
 from wtforms.fields.html5 import DateField
-from wtforms.validators import Required, Optional
+from wtforms.validators import Required, Optional, Length
 from flask_wtf import FlaskForm

 from .data import JEDI_CLIN_TYPES
@ -65,8 +65,13 @@ class CLINForm(FlaskForm):


 class AttachmentForm(BaseForm):
-    filename = HiddenField(id="attachment_filename")
-    object_name = HiddenField(id="attachment_object_name")
+    filename = HiddenField(
+        id="attachment_filename",
+        validators=[
+            Length(max=100, message="Filename may be no longer than 100 characters.")
+        ],
+    )
+    object_name = HiddenField(id="attachment_object_name", validators=[Length(max=40)])
    accept = ".pdf,application/pdf"


--- a/tests/routes/task_orders/test_new.py
+++ b/tests/routes/task_orders/test_new.py
@ -7,6 +7,7 @@ from atst.models.task_order import Status as TaskOrderStatus
 from atst.models import TaskOrder

 from tests.factories import CLINFactory, PortfolioFactory, TaskOrderFactory, UserFactory
+from tests.utils import captured_templates


 def build_pdf_form_data(filename="sample.pdf", object_name="object_name"):
@ -101,6 +102,42 @@ def test_task_orders_submit_form_step_one_add_pdf_delete_pdf(
    assert response.status_code == 302


+def test_task_orders_submit_form_step_one_validates_filename(
+    app, client, user_session, portfolio
+):
+    user_session(portfolio.owner)
+    with captured_templates(app) as templates:
+        client.post(
+            url_for(
+                "task_orders.submit_form_step_one_add_pdf", portfolio_id=portfolio.id
+            ),
+            data={"pdf-filename": "a" * 1024},
+            follow_redirects=True,
+        )
+
+        _, context = templates[-1]
+
+        assert "filename" in context["form"].pdf.errors
+
+
+def test_task_orders_submit_form_step_one_validates_object_name(
+    app, client, user_session, portfolio
+):
+    user_session(portfolio.owner)
+    with captured_templates(app) as templates:
+        client.post(
+            url_for(
+                "task_orders.submit_form_step_one_add_pdf", portfolio_id=portfolio.id
+            ),
+            data={"pdf-object_name": "a" * 41},
+            follow_redirects=True,
+        )
+
+        _, context = templates[-1]
+
+        assert "object_name" in context["form"].pdf.errors
+
+
 def test_task_orders_form_step_two_add_number(client, user_session, task_order):
    user_session(task_order.creator)
    response = client.get(