~petersanchez/django-cartfreakapi commit

1 files changed, 6 insertions(+), 1 deletions(-)

M cartfreakapi/views.py

M cartfreakapi/views.py +6 -1

@@ 15,6 15,8 @@ def handle_api(request, callback=None, k
         )
 
     required = ('command', 'hash')
+    valid_commands = ('CREATE', 'REMOVE', 'COMPLETE')
+    
     cf_key = getattr(settings, key_name)
     for req in required:
         if req not in request.POST:

          
@@ 24,7 26,10 @@ def handle_api(request, callback=None, k
     in_hash = request.POST.get('hash')
     command = request.POST.get('command')
     _hash = hashlib.sha1(cf_key + command).hexdigest()
-    
+
+    if command not in valid_commands:
+        return HttpResponse(ERROR_STR % 'Invalid command sent')
+
     if _hash != in_hash:
         return HttpResponse(ERROR_STR % 'Invalid hash sent')