From d41140f8d935f899c9e27ef6fc230895a3e81fdf Mon Sep 17 00:00:00 2001
From: ks129 <45097959+ks129@users.noreply.github.com>
Date: Thu, 24 Dec 2020 09:29:10 +0200
Subject: Let Pydantic validate bulk responses delete data

---
 backend/routes/forms/responses.py | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

(limited to 'backend/routes/forms/responses.py')

diff --git a/backend/routes/forms/responses.py b/backend/routes/forms/responses.py
index baab856..f3c4cd7 100644
--- a/backend/routes/forms/responses.py
+++ b/backend/routes/forms/responses.py
@@ -1,6 +1,7 @@
 """
 Returns all form responses by form ID.
 """
+from pydantic import BaseModel
 from spectree import Response
 from starlette.authentication import requires
 from starlette.requests import Request
@@ -11,6 +12,10 @@ from backend.route import Route
 from backend.validation import api, ErrorMessage, OkayResponse
 
 
+class ResponseIdList(BaseModel):
+    ids: list[str]
+
+
 class Responses(Route):
     """
     Returns all form responses by form ID.
@@ -41,6 +46,7 @@ class Responses(Route):
 
     @requires(["authenticated", "admin"])
     @api.validate(
+        json=ResponseIdList,
         resp=Response(
             HTTP_200=OkayResponse,
             HTTP_404=ErrorMessage,
@@ -56,12 +62,10 @@ class Responses(Route):
             return JSONResponse({"error": "not_found"}, status_code=404)
 
         data = await request.json()
-
-        if "ids" not in data:
-            return JSONResponse({"error": "ids_not_provided"}, status_code=400)
+        response_ids = ResponseIdList(**data)
 
         # Convert IDs to set to remove duplicates
-        ids = set(data["ids"])
+        ids = set(response_ids.ids)
 
         cursor = request.state.db.responses.find(
             {"_id": {"$in": list(ids)}}  # Convert here back to list, may throw error.
-- 
cgit v1.2.3