Merged
Conversation
Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
OpenAPI ChangesShow/hide ## Changes for v0.yaml:Unexpected changes? Ensure your branch is up-to-date with |
![sentry[bot]](https://avatars.githubusercontent.com/in/12637?s=60&v=4){kind=small}
Comment on lines
+44
to
+46
| prefetched_products = getattr(obj, "prefetched_products", None) | ||
| if prefetched_products is not None: | ||
| return prefetched_products[0] if prefetched_products else None |
There was a problem hiding this comment.
Bug: The is_upgradable property incorrectly returns True for runs with only inactive products, causing the serializer to potentially expose inactive product data.
Severity: MEDIUM
Suggested Fix
Update the is_upgradable property in courses/models.py to check for active products specifically. When using prefetched products, use any(p.is_active for p in self.prefetched_products). For the database query fallback, use self.products.filter(is_active=True).exists(). Additionally, consider adding is_active=True to the prefetch query in courses/views/v3/__init__.py to prevent inactive products from being fetched in the first place.
Prompt for AI Agent
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.
Location: courses/serializers/v3/courses.py#L44-L46
Potential issue: The `is_upgradable` property on the `CourseRun` model can incorrectly
return `True` when a run only has inactive products. This is because the logic checks
for the existence of any product (`self.products.exists()` or
`bool(self.prefetched_products)`) without filtering for `is_active=True`. When this
occurs in an API view that uses a prefetch for all products (active and inactive), the
`CourseRunWithCourseSerializer`'s `_get_upgrade_product` method may return the first
product from the prefetched list, which could be an inactive one. This leads to the API
response incorrectly indicating that a run is upgradable and exposing details (ID,
price) of an inactive product.
Did we get this right? 👍 / 👎 to inform future reviews.
odlbot
added
waiting for checkboxes
all checkboxes checked
and removed
deploying to rc
waiting for checkboxes
labels
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Carey P Gumaer
annagav