Merge pull request #35035 from dimagi/ap/deet/fix-SAAS-15728

Add check for the case type passed in the URL
dimagi · Aug 28, 2024 · 14c2b4d · 14c2b4d
2 parents 62d2f03 + b744b1e
commit 14c2b4d
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 0 deletions.
diff --git a/corehq/apps/export/tests/test_export_views.py b/corehq/apps/export/tests/test_export_views.py
@@ -151,6 +151,15 @@ def test_create_form_export(self):
         )
         self.assertEqual(resp.status_code, 200)
 
+    @patch("corehq.apps.export.views.new.get_case_types_for_domain", lambda *a: ['random_case'])
+    def test_create_case_export_with_invalid_case(self):
+        resp = self.client.get(
+            reverse(CreateNewCustomCaseExportView.urlname, args=[self.domain.name]),
+            {'export_tag': 'some_case'}
+        )
+        self.assertEqual(resp.status_code, 302)
+
+    @patch("corehq.apps.export.views.new.get_case_types_for_domain", lambda *a: ['random_case'])
     def test_create_case_export(self):
         resp = self.client.get(
             reverse(CreateNewCustomCaseExportView.urlname, args=[self.domain.name]),

diff --git a/corehq/apps/export/views/new.py b/corehq/apps/export/views/new.py
@@ -15,6 +15,7 @@
 from memoized import memoized
 
 from corehq.apps.accounting.decorators import requires_privilege_with_fallback
+from corehq.apps.reports.analytics.esaccessors import get_case_types_for_domain
 from dimagi.utils.web import json_response
 
 from corehq import privileges, toggles
@@ -412,6 +413,16 @@ def create_new_export_instance(self, schema, username, export_settings=None):
     def get(self, request, *args, **kwargs):
         case_type = request.GET.get('export_tag').strip('"')
 
+        if (
+            case_type not in get_case_types_for_domain(request.domain)
+            and case_type != ALL_CASE_TYPE_EXPORT
+        ):
+            messages.error(
+                request,
+                _("Case type '{case_type}' does not exist for this project.").format(case_type=case_type)
+            )
+            url = self.export_home_url
+            return HttpResponseRedirect(url)
         # First check if project is allowed to do a bulk export and redirect if necessary
         if case_type == ALL_CASE_TYPE_EXPORT and case_type_or_app_limit_exceeded(self.domain):
             messages.error(