in browser view, handle invalid user input properly

jrief · jrief · commit 281444adcb50 · 2025-11-21T10:35:11.000+01:00
diff --git a/finder/browser/views.py b/finder/browser/views.py
@@ -1,12 +1,13 @@
 from django.contrib.sites.shortcuts import get_current_site
-from django.core.exceptions import BadRequest, ObjectDoesNotExist
+from django.core.exceptions import BadRequest, ObjectDoesNotExist, ValidationError
 from django.core.files.storage import default_storage
 from django.db.models import QuerySet, Subquery
 from django.forms.renderers import DjangoTemplates
 from django.http import JsonResponse, HttpResponseBadRequest, HttpResponseNotFound
 from django.utils.decorators import method_decorator
 from django.utils.html import strip_spaces_between_tags
 from django.utils.safestring import mark_safe
+from django.utils.translation import gettext_lazy as _
 from django.views import View
 from django.views.decorators.http import require_GET, require_http_methods, require_POST
 
@@ -40,6 +41,8 @@ def dispatch(self, request, *args, **kwargs):
             return HttpResponseBadRequest(f"Action {self.action} not allowed.")
         try:
             return JsonResponse(action(request, *args, **kwargs))
+        except ValidationError as e:
+            return JsonResponse({'error': e.messages}, status=422)
         except Exception as e:
             return HttpResponseBadRequest(str(e))
 
@@ -262,7 +265,15 @@ def change(self, request, file_id):
     @method_decorator(require_POST)
     def crop(self, request, image_id):
         image = FileModel.objects.get_inode(id=image_id, mime_types=['image/*'], is_folder=False)
-        width, height = int(request.POST.get('width')), int(request.POST.get('height'))
+        width, height = request.POST.get('width'), request.POST.get('height')
+        width = int(width) if str(width).isdigit() else None
+        height = int(height) if str(height).isdigit() else None
+        if width is None and height is None:
+            raise ValidationError(_("At least one of width or height must be given."))
+        if width is None:
+            width = round(height * image.width / image.height)
+        if height is None:
+            height = round(width / image.width * image.height)
         cropped_image_path = image.get_cropped_path(width, height)
         if not default_storage.exists(cropped_image_path):
             image.crop(cropped_image_path, width, height)
