# HG changeset patch
# User Sascha L. Teichmann <sascha.teichmann@intevation.de>
# Date 1628539681 -7200
# Node ID d71ebe576c7655684aa22c308b738db313be24c3
# Parent  93af8d1ea09fe2516854eac6b6ca4ae35c7076d0
FWA: Check if breaks are valid parameters. Send BadRequest back if they are not.

diff -r 93af8d1ea09f -r d71ebe576c76 pkg/controllers/fwa.go
--- a/pkg/controllers/fwa.go	Tue Jul 20 18:54:35 2021 +0200
+++ b/pkg/controllers/fwa.go	Mon Aug 09 22:08:01 2021 +0200
@@ -252,18 +252,26 @@
 	}
 
 	// separate breaks for depth and width
-	var (
-		breaks       = parseBreaks(req.FormValue("breaks"), afdRefs)
-		depthBreaks  = parseBreaks(req.FormValue("depthbreaks"), breaks)
-		widthBreaks  = parseBreaks(req.FormValue("widthbreaks"), breaks)
-		chooseBreaks = [...][]float64{
-			limitingDepth: depthBreaks,
-			limitingWidth: widthBreaks,
-		}
+	breaks, ok := parseBreaks(rw, req, "breaks", afdRefs)
+	if !ok {
+		return
+	}
+	depthBreaks, ok := parseBreaks(rw, req, "depthbreaks", breaks)
+	if !ok {
+		return
+	}
+	widthBreaks, ok := parseBreaks(rw, req, "widthbreaks", breaks)
+	if !ok {
+		return
+	}
 
-		useDepth = bns.hasLimiting(limitingDepth, from, to)
-		useWidth = bns.hasLimiting(limitingWidth, from, to)
-	)
+	chooseBreaks := [...][]float64{
+		limitingDepth: depthBreaks,
+		limitingWidth: widthBreaks,
+	}
+
+	useDepth := bns.hasLimiting(limitingDepth, from, to)
+	useWidth := bns.hasLimiting(limitingWidth, from, to)
 
 	if useDepth && useWidth && len(widthBreaks) != len(depthBreaks) {
 		http.Error(
@@ -384,12 +392,12 @@
 				}
 			}
 
-			if min := minClass(bns[i].measurements.classify(
+			classes := bns[i].measurements.classify(
 				current, next,
 				chooseBreaks[vs.limiting],
-				limitingAccess[vs.limiting]),
-				12*time.Hour,
-			); min < lowest {
+				limitingAccess[vs.limiting])
+
+			if min := minClass(classes, 12*time.Hour); min < lowest {
 				lowest = min
 			}
 		}
@@ -488,25 +496,42 @@
 	}
 }
 
-func breaksToReferenceValue(breaks string) []float64 {
+func breaksToReferenceValue(breaks string) ([]float64, error) {
 	parts := strings.Split(breaks, ",")
 	var values []float64
 
 	for _, part := range parts {
 		part = strings.TrimSpace(part)
-		if v, err := strconv.ParseFloat(part, 64); err == nil {
-			values = append(values, v)
+		v, err := strconv.ParseFloat(part, 64)
+		if err != nil {
+			return nil, err
 		}
+		values = append(values, v)
 	}
 
-	return common.DedupFloat64s(values)
+	return common.DedupFloat64s(values), nil
 }
 
-func parseBreaks(breaks string, defaults []float64) []float64 {
-	if breaks != "" {
-		return breaksToReferenceValue(breaks)
+func parseBreaks(
+	rw http.ResponseWriter, req *http.Request,
+	parameter string,
+	defaults []float64,
+) ([]float64, bool) {
+
+	breaks := strings.TrimSpace(req.FormValue(parameter))
+	if breaks == "" {
+		return defaults, true
 	}
-	return defaults
+
+	defaults, err := breaksToReferenceValue(breaks)
+	if err != nil {
+		msg := fmt.Sprintf("Parameter '%s' is invalid: %s.", parameter, err)
+		log.Printf("error: %s\n", msg)
+		http.Error(rw, msg, http.StatusBadRequest)
+		return nil, false
+	}
+
+	return defaults, true
 }
 
 func (tr *timeRange) intersects(from, to time.Time) bool {