From 68d0abbe8563c6e778040b2d4f3f640858f5b968 Mon Sep 17 00:00:00 2001
From: Christian Heller <c.heller@plomlompom.de>
Date: Fri, 21 Jun 2024 17:37:33 +0200
Subject: [PATCH] Improve POST /day input validation.

---
 plomtask/http.py | 27 +++++++++++++++++++++------
 1 file changed, 21 insertions(+), 6 deletions(-)

diff --git a/plomtask/http.py b/plomtask/http.py
index 28812df..2706603 100644
--- a/plomtask/http.py
+++ b/plomtask/http.py
@@ -137,6 +137,20 @@ class InputsParser:
             msg = f'cannot int a form field value for key {key} in: {all_str}'
             raise BadFormatException(msg) from e
 
+    def get_all_floats_or_nones(self, key: str) -> list[float | None]:
+        """Retrieve list of float value at key, None if empty strings."""
+        ret: list[float | None] = []
+        for val in self.get_all_str(key):
+            if '' == val:
+                ret += [None]
+            else:
+                try:
+                    ret += [float(val)]
+                except ValueError as e:
+                    msg = f'cannot float form field value for key {key}: {val}'
+                    raise BadFormatException(msg) from e
+        return ret
+
 
 class TaskHandler(BaseHTTPRequestHandler):
     """Handles single HTTP request."""
@@ -552,13 +566,14 @@ class TaskHandler(BaseHTTPRequestHandler):
         make_type = self._form_data.get_str('make_type')
         old_todos = self._form_data.get_all_int('todo_id')
         new_todos = self._form_data.get_all_int('new_todo')
-        is_done = [t_id in self._form_data.get_all_int('done')
-                   for t_id in old_todos]
         comments = self._form_data.get_all_str('comment')
-        efforts = [float(effort) if effort else None
-                   for effort in self._form_data.get_all_str('effort')]
-        if old_todos and 3*[len(old_todos)] != [len(is_done), len(comments),
-                                                len(efforts)]:
+        efforts = self._form_data.get_all_floats_or_nones('effort')
+        done_todos = self._form_data.get_all_int('done')
+        for _ in [id_ for id_ in done_todos if id_ not in old_todos]:
+            raise BadFormatException('"done" field refers to unknown Todo')
+        is_done = [t_id in done_todos for t_id in old_todos]
+        if not (len(old_todos) == len(is_done) == len(comments)
+                == len(efforts)):
             msg = 'not equal number each of number of todo_id, comments, ' +\
                     'and efforts inputs'
             raise BadFormatException(msg)
-- 
2.30.2