Rejects string prefixed exact monetary queries

2026-04-21 07:19:26 +00:00 · 2026-04-20 14:13:28 -07:00
parent a74786c25b
commit 407ff70c56
2 changed files with 26 additions and 0 deletions
--- a/src/documents/filters.py
+++ b/src/documents/filters.py
@@ -627,6 +627,12 @@ class CustomFieldQueryParser:
        elif custom_field.data_type == CustomField.FieldDataType.URL:
            # For URL fields we don't need to be strict about validation (e.g., for istartswith).
            field = serializers.CharField()
+        elif custom_field.data_type == CustomField.FieldDataType.MONETARY and (
+            op in self.EXPR_BY_CATEGORY["arithmetic"] or op in {"exact", "in"}
+        ):
+            # These ops compare against value_monetary_amount (a DecimalField), so the
+            # filter value must be numeric, not a currency-prefixed string like "USD100".
+            field = serializers.DecimalField(max_digits=65, decimal_places=2)
        else:
            # The general case: inferred from the corresponding field in CustomFieldInstance.
            value_field_name = CustomFieldInstance.get_value_field_name(
--- a/src/documents/tests/test_api_filter_by_custom_fields.py
+++ b/src/documents/tests/test_api_filter_by_custom_fields.py
@@ -479,6 +479,26 @@ class TestCustomFieldsSearch(DirectoriesMixin, APITestCase):
            ),
        )

+    def test_exact_monetary_with_currency_prefix_is_invalid(self) -> None:
+        # Providing a currency-prefixed string like "USD100" for an exact/arithmetic
+        # monetary filter should be rejected, since these ops compare against the
+        # extracted numeric amount and cannot accept non-numeric values.
+        self._assert_validation_error(
+            json.dumps(["monetary_field", "exact", "USD100"]),
+            ["custom_field_query", "2"],
+            "valid number",
+        )
+        self._assert_validation_error(
+            json.dumps(["monetary_field", "gt", "USD100"]),
+            ["custom_field_query", "2"],
+            "valid number",
+        )
+        self._assert_validation_error(
+            json.dumps(["monetary_field", "in", ["USD100", "EUR50"]]),
+            ["custom_field_query", "2", "0"],
+            "valid number",
+        )
+
    # ==========================================================#
    # Subset check (document link field only)                   #
    # ==========================================================#