From 0e5c8d83a1678d37c5dcb37e092b345aed337356 Mon Sep 17 00:00:00 2001
From: Michael Krause <krause@mpib-berlin.mpg.de>
Date: Thu, 7 Jul 2022 18:22:57 +0200
Subject: [PATCH] Validate on field names and catch invalid results

---
 api/views.py | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/api/views.py b/api/views.py
index 1d8fd255..f1d17b4b 100644
--- a/api/views.py
+++ b/api/views.py
@@ -50,7 +50,7 @@ def api_root(request, format=None):
 class SearchQuerysetMixin():
     def get_queryset(self):
         queryset = self.model.objects.all()
-        valid_fields = self.model._meta.fields
+        valid_fields = [f.name for f in self.model._meta.fields]
         filters = {}
         for param in self.request.query_params.lists():
             if param[0] in valid_fields:
@@ -58,7 +58,10 @@ def get_queryset(self):
                 if param[0] == "department":
                     key_name = "department__name__in"
                 filters[key_name] = param[1]
-        queryset = queryset.filter(**filters)
+        try:
+            queryset = queryset.filter(**filters)
+        except ValueError:
+            queryset = self.model.objects.none()
         return queryset