From 67be5ba050d791d9c21f816bc13ac80c3caaed0c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Adri=C3=A0=20Casaj=C3=BAs?=
 <acasajus@users.noreply.github.com>
Date: Fri, 15 Jul 2022 17:10:00 +0200
Subject: [PATCH] Enforce int params in routes (#1159)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Adrià Casajús <adria.casajus@proton.ch>
---
 app/api/views/mailbox.py                     | 4 ++--
 app/api/views/notification.py                | 2 +-
 app/api/views/phone.py                       | 2 +-
 app/dashboard/views/alias_contact_manager.py | 2 +-
 app/phone/views/phone_reservation.py         | 2 +-
 5 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/app/api/views/mailbox.py b/app/api/views/mailbox.py
index d235d390..bb1e94e4 100644
--- a/app/api/views/mailbox.py
+++ b/app/api/views/mailbox.py
@@ -71,7 +71,7 @@ def create_mailbox():
         )
 
 
-@api_bp.route("/mailboxes/<mailbox_id>", methods=["DELETE"])
+@api_bp.route("/mailboxes/<int:mailbox_id>", methods=["DELETE"])
 @require_api_auth
 def delete_mailbox(mailbox_id):
     """
@@ -103,7 +103,7 @@ def delete_mailbox(mailbox_id):
     return jsonify(deleted=True), 200
 
 
-@api_bp.route("/mailboxes/<mailbox_id>", methods=["PUT"])
+@api_bp.route("/mailboxes/<int:mailbox_id>", methods=["PUT"])
 @require_api_auth
 def update_mailbox(mailbox_id):
     """
diff --git a/app/api/views/notification.py b/app/api/views/notification.py
index d71856cc..4d800dca 100644
--- a/app/api/views/notification.py
+++ b/app/api/views/notification.py
@@ -60,7 +60,7 @@ def get_notifications():
     )
 
 
-@api_bp.route("/notifications/<notification_id>/read", methods=["POST"])
+@api_bp.route("/notifications/<int:notification_id>/read", methods=["POST"])
 @require_api_auth
 def mark_as_read(notification_id):
     """
diff --git a/app/api/views/phone.py b/app/api/views/phone.py
index 9af3fd1e..024a320b 100644
--- a/app/api/views/phone.py
+++ b/app/api/views/phone.py
@@ -9,7 +9,7 @@ from app.models import (
 )
 
 
-@api_bp.route("/phone/reservations/<reservation_id>", methods=["GET", "POST"])
+@api_bp.route("/phone/reservations/<int:reservation_id>", methods=["GET", "POST"])
 @require_api_auth
 def phone_messages(reservation_id):
     """
diff --git a/app/dashboard/views/alias_contact_manager.py b/app/dashboard/views/alias_contact_manager.py
index 5f478d9b..0f5e9671 100644
--- a/app/dashboard/views/alias_contact_manager.py
+++ b/app/dashboard/views/alias_contact_manager.py
@@ -229,7 +229,7 @@ def delete_contact(alias: Alias, contact_id: int):
         flash(f"Reverse-alias for {delete_contact_email} has been deleted", "success")
 
 
-@dashboard_bp.route("/alias_contact_manager/<alias_id>/", methods=["GET", "POST"])
+@dashboard_bp.route("/alias_contact_manager/<int:alias_id>/", methods=["GET", "POST"])
 @login_required
 def alias_contact_manager(alias_id):
     highlight_contact_id = None
diff --git a/app/phone/views/phone_reservation.py b/app/phone/views/phone_reservation.py
index 949bcb97..5cae6d22 100644
--- a/app/phone/views/phone_reservation.py
+++ b/app/phone/views/phone_reservation.py
@@ -9,7 +9,7 @@ from app.phone.base import phone_bp
 current_user: User
 
 
-@phone_bp.route("/reservation/<reservation_id>", methods=["GET", "POST"])
+@phone_bp.route("/reservation/<int:reservation_id>", methods=["GET", "POST"])
 @login_required
 def reservation_route(reservation_id: int):
     reservation: PhoneReservation = PhoneReservation.get(reservation_id)