[Bug]: ProgramPrintables.paid_list() crashes when filter contains a non-integer value

[moksha-hub]

Description

esp/esp/program/modules/handlers/programprintables.py can crash in paid_list() when the filter query parameter contains a non-integer value.

Why this matters

The paid-list printable is an admin workflow used to review program charges and payments. A malformed or tampered filter value should fall back safely or raise a clean user-facing error, not crash the page.

Right now, the handler tries to parse request.GET.getlist('filter') as integers. If any value fails integer conversion, it sets ids = None, but then stores the fallback queryset in transfers instead of lineitems. A few lines later, the code always iterates over lineitems, which is undefined in that branch.

This means a bad filter value can trigger an exception instead of rendering the printable.

Evidence

Relevant code:
esp/esp/program/modules/handlers/programprintables.py

Current control flow in paid_list():

• parse request.GET.getlist('filter')
• on ValueError, set:
  • ids = None
  • single_select = False
• then in the ids is None branch assign:
  • transfers = ...
• but later always do:
  • for lineitem in lineitems:

Because lineitems is not assigned in that fallback branch, the function can raise an exception before rendering.

Steps to Reproduce

1. Open esp/esp/program/modules/handlers/programprintables.py.
2. Locate paid_list().
3. Follow the branch where:
   • 'filter' in request.GET
   • integer conversion raises ValueError
4. Observe that the fallback queryset is assigned to transfers, not lineitems.
5. Observe that the function later iterates over lineitems unconditionally.

A request like this should hit the bad path:
...?filter=abc

Expected Behavior

If filter contains an invalid value, the handler should either:

• fall back to the unfiltered paid list, or
• show a clean user-facing error

It should not crash.

Actual Behavior

An invalid filter value can leave lineitems undefined and cause the handler to fail before rendering the page.

Impact

This is a real crash path in an admin printable workflow. It can be triggered by malformed query parameters, stale links, or manual URL edits.

Suggested Fix

In the invalid-filter fallback branch, assign the queryset to lineitems instead of transfers, or otherwise normalize the branches so the later code always works with the same variable.

Additional Context

Verified against current main by inspecting paid_list() in:
esp/esp/program/modules/handlers/programprintables.py

[github-actions]

👋 Thanks for opening this issue!

To keep the tracker focused, new issues are locked for conversation until a maintainer has reviewed them. This helps us avoid duplicates and ensure issues are actionable.

What happens next:

• A maintainer will review this issue shortly.
• If approved, the conversation will be unlocked and the needs-triage label removed.
• If this is a duplicate or out of scope, a maintainer will close it with an explanation.

Please don't worry — your issue hasn't been rejected, it's just waiting for review. 🙏

[workonlly]

/assign

[github-actions]

✅ @workonlly has been assigned to this issue. You have 5/5 issue(s) assigned.

📖 Getting Started · Contribution Rules · Code of Conduct

[workonlly]

i would be giving solution as soon possible