From 2473dfd23125ed6635d482fe41c63a1518dda23e Mon Sep 17 00:00:00 2001
From: j <0x006A@0x2620.org>
Date: Sat, 13 Jul 2013 11:53:13 +0000
Subject: [PATCH] validate in/out values of edit clips

---
 pandora/edit/models.py |  5 +++++
 pandora/edit/views.py  | 16 +++++++++++++---
 2 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/pandora/edit/models.py b/pandora/edit/models.py
index cde58199..9efa82fd 100644
--- a/pandora/edit/models.py
+++ b/pandora/edit/models.py
@@ -65,6 +65,11 @@ class Edit(models.Model):
             clip.index = 0
         else:
             clip.index +=1
+        # dont add clip if in/out are invalid
+        if not clip.annotation:
+            duration = clip.item.sort.duration
+            if clip.start >= clip.end or clip.start >= duration or clip.end > duration:
+                return False
         clip.save()
         return clip
 
diff --git a/pandora/edit/views.py b/pandora/edit/views.py
index 1aa80476..91e4f5b4 100644
--- a/pandora/edit/views.py
+++ b/pandora/edit/views.py
@@ -41,7 +41,10 @@ def addClip(request):
     edit = get_edit_or_404_json(data['edit'])
     if edit.editable(request.user):
         clip = edit.add_clip(data)
-        response['data'] = clip.json(request.user)
+        if not clip:
+            response = json_response(status=500, text='invalid in/out')
+        else:
+            response['data'] = clip.json(request.user)
     else:
         response = json_response(status=403, text='permission denied')
     return render_to_json_response(response)
@@ -87,6 +90,7 @@ def editClip(request):
     response = json_response()
     data = json.loads(request.POST['data'])
     clip = get_object_or_404_json(models.Clip, pk=ox.fromAZ(data['id']))
+    valid = False
     if clip.edit.editable(request.user):
         for key in ('in', 'out'):
             if key in data:
@@ -95,8 +99,14 @@ def editClip(request):
                     clip.end = clip.annotation.end
                     clip.annotation = None
                 setattr(clip, {'in': 'start', 'out': 'end'}.get(key), float(data[key]))
-        clip.save()
-        response['data'] = clip.json(user=request.user)
+        if not clip.annotation:
+            duration = clip.item.sort.duration
+            if clip.start >= clip.end or clip.start >= duration or clip.end > duration:
+                response = json_response(status=500, text='invalid in/out')
+                valid = False
+        if valid:
+            clip.save()
+            response['data'] = clip.json(user=request.user)
     else:
         response = json_response(status=403, text='permission denied')
     return render_to_json_response(response)