API: handle project/version not found at permission class

humitos · humitos · commit 554f7799d4c2 · 2023-09-18T19:49:46.000+02:00
When a request is made with a URL containing an invalid version (e.g. http://test-builds.devthedocs.org/_/addons/?url=http%3A%2F%2Ftest-builds.devthedocs.org%2Fen%<invalid-version-here>%2F) this class fails and returns a 500. This fixes this issue by letting the request to continue and be handled downstream by the view itself. The error has been reported on Sentry: https://read-the-docs.sentry.io/issues/4457263897/events/recommended/?project=148442&query=is%3Aunresolved+%21message%3A%22%21message%3A%22%21message%3A%22SystemExit%22+%21message%3A%22frame-ancestors%22&referrer=recommended-event&stream_index=1 I will add a specific test for this in #10685.
diff --git a/readthedocs/api/v2/permissions.py b/readthedocs/api/v2/permissions.py
@@ -40,6 +40,13 @@ class IsAuthorizedToViewVersion(permissions.BasePermission):
     def has_permission(self, request, view):
         project = view._get_project()
         version = view._get_version()
+
+        if not project or not version:
+            # Allow the request if there is no project/version.
+            # It will hit the real view and it will be handled properly:
+            # return 404 or just an empty project/version field.
+            return True
+
         has_access = (
             Version.objects.public(
                 user=request.user,
