Add some more validation

program/views.py

@@ -535,10 +535,17 @@ class APITimeSlotViewSet(viewsets.ModelViewSet):
             start = datetime.combine(datetime.strptime(self.request.query_params.get('start'), '%Y-%m-%d').date(), time(0, 0))
             end = datetime.combine(datetime.strptime(self.request.query_params.get('end'), '%Y-%m-%d').date(), time(23, 59))
 
-        # Is this safe?
-        order = self.request.query_params.get('order', '-start')
+        default_order = '-start'
+        order = self.request.query_params.get('order', default_order)
 
-        if ('surrounding' in self.request.query_params):
+        # If someone tries to sort by a field that isn't available on the model
+        # we silently ignore that and use the default sort order.
+        model_fields = [field.name for field in TimeSlot._meta.get_fields()]
+        if order not in model_fields:
+            order = default_order
+
+
+        if 'surrounding' in self.request.query_params:
             today = datetime.today()
 
             nearest_timeslots_in_future = TimeSlot.objects.filter(start__gte=today).order_by('start').values_list('id', flat=True)[:5]