From 4ef291b00b52c2c277557cf5b1dae0e443682c6b Mon Sep 17 00:00:00 2001
From: Wayne Witzel III <wayne@riotousliving.com>
Date: Fri, 22 Apr 2016 15:39:33 -0400
Subject: [PATCH] do not allow requests with empty values in __in values

---
 awx/api/filters.py                      |  2 ++
 awx/main/tests/unit/api/test_filters.py | 12 ++++++++++++
 2 files changed, 14 insertions(+)
 create mode 100644 awx/main/tests/unit/api/test_filters.py

diff --git a/awx/api/filters.py b/awx/api/filters.py
index 367fd0eda5..d81134799c 100644
--- a/awx/api/filters.py
+++ b/awx/api/filters.py
@@ -132,6 +132,8 @@ class FieldLookupBackend(BaseFilterBackend):
         elif new_lookup.endswith('__in'):
             items = []
             for item in value.split(','):
+                if not item:
+                    raise ValueError('cannot provide empty value for __in')
                 items.append(self.value_to_python_for_field(field, item))
             value = items
         elif new_lookup.endswith('__regex') or new_lookup.endswith('__iregex'):
diff --git a/awx/main/tests/unit/api/test_filters.py b/awx/main/tests/unit/api/test_filters.py
new file mode 100644
index 0000000000..c267c4f734
--- /dev/null
+++ b/awx/main/tests/unit/api/test_filters.py
@@ -0,0 +1,12 @@
+import pytest
+
+from awx.api.filters import FieldLookupBackend
+from awx.main.models import JobTemplate
+
+@pytest.mark.parametrize(u"empty_value", [u'', '', u'a,,b'])
+def test_empty_in(empty_value):
+    field_lookup = FieldLookupBackend()
+    with pytest.raises(ValueError) as excinfo:
+        field_lookup.value_to_python(JobTemplate, 'project__in', empty_value)
+    assert 'empty value for __in' in str(excinfo.value)
+