Fix /follows.json POST handler to validate publisher exists before database write#11149
Fix /follows.json POST handler to validate publisher exists before database write#11149mekarpeles with Copilot wants to merge 2 commits into
Conversation
…iting to DB Co-authored-by: mekarpeles <978325+mekarpeles@users.noreply.github.com>
/follows.json POST handler does not validate publisher|
If these are opened as drafts, our reviewer assignment script will ignore them. |
|
Hi @copilot-swe-agent — this fix (validating publisher exists before writing to the follows table) was already incorporated into the publisher_account = accounts.find(username=i.publisher)
if not publisher_account:
raise web.notfound()Master also already has the accompanying test in |
Thanks for the heads-up! Since the publisher validation fix is already in |
The
/follows.jsonPOST handler was allowing authenticated users to follow any publisher username without validating that the publisher account actually exists. This could lead to invalid follow relationships being written to the database.Changes Made
Added publisher validation to the
patrons_follows_json.POST()method inopenlibrary/plugins/openlibrary/api.py:The validation occurs after user authentication but before the database write operation. If the publisher account doesn't exist, the handler now returns a proper 404 error instead of proceeding with the follow/unfollow action.
Testing
Added comprehensive test coverage in
openlibrary/plugins/openlibrary/tests/test_followsapi.pyto verify:All existing tests continue to pass, confirming no regression in functionality.
Security Impact
This fix prevents the creation of follow relationships with non-existent users, improving data integrity and preventing potential issues from invalid publisher references in the follows table.
Fixes #11112.
💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.