From 5d9b7364a1a96f39651158b69267637448525d6d Mon Sep 17 00:00:00 2001 From: ashnaaseth2325-oss Date: Mon, 23 Mar 2026 19:27:30 +0000 Subject: [PATCH 1/3] fix: catch ValueError for malformed channel_id in remove_self Signed-off-by: ashnaaseth2325-oss --- contentcuration/contentcuration/viewsets/user.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/contentcuration/contentcuration/viewsets/user.py b/contentcuration/contentcuration/viewsets/user.py index bbd2389ee5..46feb0ba8d 100644 --- a/contentcuration/contentcuration/viewsets/user.py +++ b/contentcuration/contentcuration/viewsets/user.py @@ -316,6 +316,8 @@ def remove_self(self, request, pk=None): channel = Channel.objects.get(id=channel_id) except Channel.DoesNotExist: return HttpResponseNotFound("Channel not found {}".format(channel_id)) + except ValueError: + return HttpResponseBadRequest("Invalid channel ID: {}".format(channel_id)) if request.user != user and not request.user.can_edit(channel_id): return HttpResponseForbidden( From 38c5afcdf65afd12971ba9e6acf02b80fbf3f7f8 Mon Sep 17 00:00:00 2001 From: ashnaaseth2325-oss Date: Tue, 24 Mar 2026 18:21:03 +0000 Subject: [PATCH 2/3] fix: validate channel_id as UUID before querying in remove_self --- contentcuration/contentcuration/viewsets/user.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/contentcuration/contentcuration/viewsets/user.py b/contentcuration/contentcuration/viewsets/user.py index 46feb0ba8d..1d63866b3b 100644 --- a/contentcuration/contentcuration/viewsets/user.py +++ b/contentcuration/contentcuration/viewsets/user.py @@ -43,7 +43,7 @@ from contentcuration.viewsets.sync.constants import DELETED from contentcuration.viewsets.sync.constants import EDITOR_M2M from contentcuration.viewsets.sync.constants import VIEWER_M2M - +import uuid class IsAdminUser(BasePermission): """ @@ -311,6 +311,10 @@ def remove_self(self, request, pk=None): if not channel_id: return HttpResponseBadRequest("Channel ID is required.") + try: + uuid.UUID(channel_id) + except ValueError: + return HttpResponseBadRequest("Invalid channel ID") try: channel = Channel.objects.get(id=channel_id) From 4ba11d0560fb791b0bf88372e180013e1d8f048f Mon Sep 17 00:00:00 2001 From: "pre-commit-ci-lite[bot]" <117423508+pre-commit-ci-lite[bot]@users.noreply.github.com> Date: Tue, 24 Mar 2026 18:24:30 +0000 Subject: [PATCH 3/3] [pre-commit.ci lite] apply automatic fixes --- contentcuration/contentcuration/viewsets/user.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/contentcuration/contentcuration/viewsets/user.py b/contentcuration/contentcuration/viewsets/user.py index 1d63866b3b..a30b3f1bc6 100644 --- a/contentcuration/contentcuration/viewsets/user.py +++ b/contentcuration/contentcuration/viewsets/user.py @@ -1,3 +1,4 @@ +import uuid from functools import reduce from django.db import IntegrityError @@ -43,7 +44,7 @@ from contentcuration.viewsets.sync.constants import DELETED from contentcuration.viewsets.sync.constants import EDITOR_M2M from contentcuration.viewsets.sync.constants import VIEWER_M2M -import uuid + class IsAdminUser(BasePermission): """