From 98b87cde827aea866e9067d980c42b323b052c40 Mon Sep 17 00:00:00 2001
From: Kevin Burnett <18027+burnettk@users.noreply.github.com>
Date: Mon, 29 Apr 2024 21:42:35 +0000
Subject: [PATCH] make sure init params are in include list (#1467)

Co-authored-by: burnettk <burnettk@users.noreply.github.com>
---
 .../spiffworkflow_backend/models/process_group.py |  5 +++++
 .../services/process_model_service.py             |  9 ++++++++-
 .../expected-to-fail/process_group.json           | 15 ++++++++-------
 3 files changed, 21 insertions(+), 8 deletions(-)

diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/models/process_group.py b/spiffworkflow-backend/src/spiffworkflow_backend/models/process_group.py
index aa5db0a5b..229a9dce1 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/models/process_group.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/models/process_group.py
@@ -56,6 +56,11 @@ class ProcessGroup:
     def id_for_file_path(self) -> str:
         return self.id.replace("/", os.sep)
 
+    @classmethod
+    def get_valid_properties(cls) -> list[str]:
+        dict_keys = cls.__dataclass_fields__.keys()
+        return list(dict_keys)
+
 
 class ProcessGroupSchema(Schema):
     class Meta:
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/process_model_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/process_model_service.py
index 3ee02a912..e9fd93951 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/process_model_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/process_model_service.py
@@ -3,6 +3,7 @@ import os
 import shutil
 import uuid
 from json import JSONDecodeError
+from typing import Any
 from typing import TypeVar
 
 from flask import current_app
@@ -559,6 +560,11 @@ class ProcessModelService(FileSystemService):
                     process_groups.append(scanned_process_group)
             return process_groups
 
+    @classmethod
+    def restrict_dict(cls, data: dict[str, Any]) -> dict[str, Any]:
+        allowed_keys = ProcessGroup.get_valid_properties()
+        return {key: data[key] for key in data if key in allowed_keys}
+
     # NOTE: find_all_nested_items was added to avoid potential backwards compatibility issues.
     # we may be able to remove it and always pass "find_direct_nested_items=False" whenever looking
     # through the subdirs of a process group instead.
@@ -574,7 +580,8 @@ class ProcessModelService(FileSystemService):
                 # we don't store `id` in the json files, so we add it back in here
                 relative_path = os.path.relpath(dir_path, FileSystemService.root_path())
                 data["id"] = cls.path_to_id(relative_path)
-                process_group = ProcessGroup(**data)
+                restricted_data = cls.restrict_dict(data)
+                process_group = ProcessGroup(**restricted_data)
                 if process_group is None:
                     raise ApiError(
                         error_code="process_group_could_not_be_loaded_from_disk",
diff --git a/spiffworkflow-backend/tests/data/bpmn_unit_test_process_models/expected-to-fail/process_group.json b/spiffworkflow-backend/tests/data/bpmn_unit_test_process_models/expected-to-fail/process_group.json
index a3a3aabb8..9fe40d949 100644
--- a/spiffworkflow-backend/tests/data/bpmn_unit_test_process_models/expected-to-fail/process_group.json
+++ b/spiffworkflow-backend/tests/data/bpmn_unit_test_process_models/expected-to-fail/process_group.json
@@ -1,9 +1,10 @@
 {
-    "admin": false,
-    "description": "",
-    "display_name": "Expected To Fail",
-    "display_order": 0,
-    "parent_groups": null,
-    "process_groups": [],
-    "process_models": []
+  "admin": false,
+  "garbage": true,
+  "description": "",
+  "display_name": "Expected To Fail",
+  "display_order": 0,
+  "parent_groups": null,
+  "process_groups": [],
+  "process_models": []
 }