Only allow update service to modify named attrs

To prevent typos and inadvertently updating something we shouldn’t, this adds some filtering to the update_service method to make sure it is only allowed to update certain attributes of a service.
2026-05-02 23:20:56 -04:00 · 2016-08-11 13:55:42 +01:00
parent 002b58a062
commit 0cfe10639a
2 changed files with 21 additions and 0 deletions
--- a/app/notify_client/service_api_client.py
+++ b/app/notify_client/service_api_client.py
@@ -81,6 +81,21 @@ class ServiceAPIClient(NotificationsAPIClient):
        """
        Update a service.
        """
+        disallowed_attributes = set(kwargs.keys()) - {
+            'name',
+            'users',
+            'message_limit',
+            'active',
+            'restricted',
+            'email_from',
+            'reply_to_email_address',
+            'sms_sender'
+        }
+        if disallowed_attributes:
+            raise TypeError('Not allowed to update service attributes: {}'.format(
+                ", ".join(disallowed_attributes)
+            ))
+
        _attach_current_user(kwargs)
        endpoint = "/service/{0}".format(service_id)
        return self.post(endpoint, data)
--- a/tests/app/notify_client/test_service_api_client.py
+++ b/tests/app/notify_client/test_service_api_client.py
@@ -37,3 +37,9 @@ def test_client_gets_service(mocker, function, params):

    function(client, 'foo')
    mock_get.assert_called_once_with('/service/foo', params=params)
+
+
+def test_client_only_updates_allowed_attributes(mocker):
+    with pytest.raises(TypeError) as error:
+        ServiceAPIClient().update_service('service_id', foo='bar')
+    assert str(error.value) == 'Not allowed to update service attributes: foo'