Fix: do not accept empty string for doc link value via API (#8596)

diff --git a/src/documents/serialisers.py b/src/documents/serialisers.py
index 31871a3ad97d21e04f26d91cf036f9f0ebbdcdcd..e051e00d6dd7ea58943a3d470b9254173aae2cce 100644 (file)
--- a/src/documents/serialisers.py
+++ b/src/documents/serialisers.py
@@ -668,6 +668,10 @@ class CustomFieldInstanceSerializer(serializers.ModelSerializer):
                         f"Value must be an id of an element in {select_options}",
                     )
             elif field.data_type == CustomField.FieldDataType.DOCUMENTLINK:
+                if not (isinstance(data["value"], list) or data["value"] is None):
+                    raise serializers.ValidationError(
+                        "Value must be a list",
+                    )
                 doc_ids = data["value"]
                 if Document.objects.filter(id__in=doc_ids).count() != len(
                     data["value"],

diff --git a/src/documents/tests/test_api_custom_fields.py b/src/documents/tests/test_api_custom_fields.py
index 11911f6abfb563d0192c426c2a590cfb32511fe5..8c809429f6d06d83adb782579f77c6293a12a749 100644 (file)
--- a/src/documents/tests/test_api_custom_fields.py
+++ b/src/documents/tests/test_api_custom_fields.py
@@ -886,6 +886,7 @@ class TestCustomFieldsAPI(DirectoriesMixin, APITestCase):
             - Document & custom field exist
         WHEN:
             - API request to set a field value to a document that does not exist
+            - API request to set a field value to empty string
         THEN:
             - HTTP 400 is returned
             - No field instance is created or attached to the document
@@ -916,6 +917,19 @@ class TestCustomFieldsAPI(DirectoriesMixin, APITestCase):
         self.assertEqual(CustomFieldInstance.objects.count(), 0)
         self.assertEqual(len(doc.custom_fields.all()), 0)
 
+        resp = self.client.patch(
+            f"/api/documents/{doc.id}/",
+            data={
+                "custom_fields": [
+                    {"field": custom_field_documentlink.id, "value": ""},
+                ],
+            },
+            format="json",
+        )
+
+        self.assertEqual(resp.status_code, status.HTTP_400_BAD_REQUEST)
+        self.assertEqual(CustomFieldInstance.objects.count(), 0)
+
     def test_custom_field_not_null(self):
         """
         GIVEN: