From 5fba1735c2bc0b09236ae643d6c6f0453ae23b94 Mon Sep 17 00:00:00 2001
From: red person <redpersoncoding@gmail.com>
Date: Wed, 3 Jun 2026 08:07:03 +0300
Subject: [PATCH] Ignore invalid editor draft payloads (#1533)

---
 routes/editor_draft_routes.py      | 14 +++++++++-----
 tests/test_editor_draft_payload.py | 24 ++++++++++++++++++++++++
 2 files changed, 33 insertions(+), 5 deletions(-)
 create mode 100644 tests/test_editor_draft_payload.py

diff --git a/routes/editor_draft_routes.py b/routes/editor_draft_routes.py
index 3c28439..02641a5 100644
--- a/routes/editor_draft_routes.py
+++ b/routes/editor_draft_routes.py
@@ -67,6 +67,14 @@ def _summary(d: EditorDraft) -> Dict[str, Any]:
     }
 
 
+def _load_payload(raw: Optional[str]) -> Dict[str, Any]:
+    try:
+        payload = json.loads(raw) if raw else {}
+    except Exception:
+        return {}
+    return payload if isinstance(payload, dict) else {}
+
+
 def setup_editor_draft_routes() -> APIRouter:
     router = APIRouter(tags=["editor-drafts"])
 
@@ -93,13 +101,9 @@ def setup_editor_draft_routes() -> APIRouter:
             ).first()
             if not d or not _owns(d, user):
                 raise HTTPException(404, "Draft not found")
-            try:
-                payload = json.loads(d.payload) if d.payload else {}
-            except Exception:
-                payload = {}
             return {
                 **_summary(d),
-                "payload": payload,
+                "payload": _load_payload(d.payload),
             }
         finally:
             db.close()
diff --git a/tests/test_editor_draft_payload.py b/tests/test_editor_draft_payload.py
new file mode 100644
index 0000000..53889b1
--- /dev/null
+++ b/tests/test_editor_draft_payload.py
@@ -0,0 +1,24 @@
+import sys
+import types
+from unittest.mock import MagicMock
+
+
+def _load_module(monkeypatch):
+    db_stub = types.ModuleType("core.database")
+    db_stub.EditorDraft = MagicMock()
+    db_stub.SessionLocal = MagicMock()
+    monkeypatch.setitem(sys.modules, "core.database", db_stub)
+    monkeypatch.delitem(sys.modules, "routes.editor_draft_routes", raising=False)
+
+    import routes.editor_draft_routes as mod
+
+    return mod
+
+
+def test_load_payload_rejects_non_object_json(monkeypatch):
+    mod = _load_module(monkeypatch)
+
+    assert mod._load_payload("[]") == {}
+    assert mod._load_payload('"draft"') == {}
+    assert mod._load_payload("{bad json") == {}
+    assert mod._load_payload('{"layers": []}') == {"layers": []}