From 480af81e0dea2d15df2f33e47edd9740eb395287 Mon Sep 17 00:00:00 2001
From: Emmanuel Viennet <emmanuel.viennet@gmail.com>
Date: Sat, 27 Nov 2021 18:44:32 +0100
Subject: [PATCH] check user params (old ids)

---
 app/scodoc/sco_page_etud.py | 4 ++++
 app/scodoc/sco_trombino.py  | 2 ++
 app/views/notes.py          | 6 ++++++
 3 files changed, 12 insertions(+)

diff --git a/app/scodoc/sco_page_etud.py b/app/scodoc/sco_page_etud.py
index 424e835cf2..573d794554 100644
--- a/app/scodoc/sco_page_etud.py
+++ b/app/scodoc/sco_page_etud.py
@@ -149,6 +149,10 @@ def ficheEtud(etudid=None):
     authuser = current_user
     cnx = ndb.GetDBConnexion()
     if etudid:
+        try:  # pour les bookmarks avec d'anciens ids...
+            etudid = int(etudid)
+        except ValueError:
+            raise ScoValueError("id invalide !")
         # la sidebar est differente s'il y a ou pas un etudid
         # voir html_sidebar.sidebar()
         g.etudid = etudid
diff --git a/app/scodoc/sco_trombino.py b/app/scodoc/sco_trombino.py
index d93de39518..84af342639 100644
--- a/app/scodoc/sco_trombino.py
+++ b/app/scodoc/sco_trombino.py
@@ -493,6 +493,8 @@ def photos_generate_excel_sample(group_ids=[]):
 
 def photos_import_files_form(group_ids=[]):
     """Formulaire pour importation photos"""
+    if not group_ids:
+        raise ScoValueError("paramètre manquant !")
     groups_infos = sco_groups_view.DisplayedGroupsInfos(group_ids)
     back_url = "groups_view?%s&curtab=tab-photos" % groups_infos.groups_query_args
 
diff --git a/app/views/notes.py b/app/views/notes.py
index deea62bf1a..5214977e89 100644
--- a/app/views/notes.py
+++ b/app/views/notes.py
@@ -45,6 +45,7 @@ from werkzeug.utils import redirect
 
 from config import Config
 
+from app import api
 from app import db
 from app import models
 from app.auth.models import User
@@ -657,6 +658,11 @@ def formsemestre_list(
     kw can specify some conditions: examples:
         formsemestre_list( format='json', formation_id='F777')
     """
+    try:
+        formsemestre_id = int(formsemestre_id) if formsemestre_id is not None else None
+        formation_id = int(formation_id) if formation_id is not None else None
+    except ValueError:
+        return api.errors.error_response(404, "invalid id")
     # XAPI: new json api
     args = {}
     L = locals()