From d949a01550ae947187e6114b7ee4bfd64bfa470f Mon Sep 17 00:00:00 2001 From: Konrad du Plessis Date: Sat, 16 May 2026 13:45:24 +0200 Subject: [PATCH] refine: document ?pay_type= param + add unknown-value regression test Co-Authored-By: Claude Opus 4.7 (1M context) --- core/tests.py | 12 ++++++++++++ core/views.py | 4 +++- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/core/tests.py b/core/tests.py index 7401d97..6dc3a36 100644 --- a/core/tests.py +++ b/core/tests.py @@ -3282,6 +3282,18 @@ class WorkerListPayTypeFilterTests(TestCase): self.assertIn('Mary Manager', names) self.assertEqual(resp.context['pay_type_filter'], '') + def test_unknown_pay_type_value_shows_both(self): + # Robustness: an unrecognised ?pay_type= value (typo, tampering, + # future-removed option) must fall through to the UNFILTERED + # default — never error, never return an empty list. This locks + # the allow-list contract so a future change to a deny-list + # would fail loudly here. + resp = self.client.get('/workers/?pay_type=banana') + names = [w.name for w in resp.context['workers']] + self.assertIn('Danny Daily', names) + self.assertIn('Mary Manager', names) + self.assertEqual(resp.context['pay_type_filter'], 'banana') + class WorkHistoryTeamFilterTests(TestCase): """The /history/ page accepts ?team= to narrow to logs tagged diff --git a/core/views.py b/core/views.py index 206aff6..5f7c72d 100644 --- a/core/views.py +++ b/core/views.py @@ -1604,7 +1604,7 @@ def export_workers_csv(request): @login_required def worker_list(request): - """Admin-friendly list of all workers with search + status + team filter. + """Admin-friendly list of all workers with search + status + team + pay-type filter. Query params: ?q=search_term — search name / ID number / phone @@ -1613,6 +1613,8 @@ def worker_list(request): ?status=all — both ?team= — only workers belonging to this team (M2M) ?team=none — workers NOT assigned to any team + ?pay_type=fixed — only managers / salaried staff (Worker.pay_type) + ?pay_type=daily — only daily field workers """ if not is_admin(request.user): return HttpResponseForbidden("Admin access required.")