geopython · tomkralidis · Aug 19, 2024 · Jul 30, 2024 · Aug 19, 2024 · Aug 19, 2024
diff --git a/pygeoapi/api/itemtypes.py b/pygeoapi/api/itemtypes.py
@@ -387,8 +387,12 @@ def get_collection_items(
 
     LOGGER.debug('processing property parameters')
     for k, v in request.params.items():
-        if k not in reserved_fieldnames and k in list(p.fields.keys()):
-            LOGGER.debug(f'Adding property filter {k}={v}')
+        if k not in reserved_fieldnames:
+            if k in list(p.fields.keys()):
+                LOGGER.debug(f'Adding property filter {k}={v}')
+            else:
+                LOGGER.debug(f'Adding additional property filter {k}={v}')
+
             properties.append((k, v))
 
     LOGGER.debug('processing sort parameter')

diff --git a/pygeoapi/provider/oracle.py b/pygeoapi/provider/oracle.py
@@ -647,6 +647,19 @@ def query(
 
         :returns: GeoJSON FeaturesCollection
         """
+        LOGGER.debug(f"properties contains: {properties}")
+
+        # NOTE: properties contains field keys plus extra params
+        #       need to split them up here
+        filtered_properties = []
+        extra_params = {}
+        for (key, value) in properties:
+            if key in self.fields.keys():
+                filtered_properties.append((key, value))
+            else:
+                extra_params[key] = value
+
+        properties = filtered_properties
 
         # Check mandatory filter properties
         property_dict = dict(properties)
@@ -804,6 +817,7 @@ def query(
                     q,
                     language,
                     filterq,
+                    extra_params=extra_params
                 )
 
             # Clean up placeholders that aren't used by the

diff --git a/tests/test_oracle_provider.py b/tests/test_oracle_provider.py
@@ -62,8 +62,11 @@ def process_query(
         q,
         language,
         filterq,
+        extra_params
     ):
         sql = "ID = 10 AND :foo != :bar"
+        if extra_params.get("custom-auth") == "forbidden":
+            sql = f"{sql} AND 'auth' = 'you are not allowed'"
 
         if sql_query.find(" WHERE ") == -1:
             sql_query = sql_query.replace("#WHERE#", f" WHERE {sql}")
@@ -632,6 +635,15 @@ def test_query_mandatory_properties_must_be_specified(config):
         p.query(properties=[("id", "123")])
 
 
+def test_extra_params_are_passed_to_sql_manipulator(config_manipulator):
+    extra_params = [("custom-auth", "forbidden")]
+
+    p = OracleProvider(config_manipulator)
+    response = p.query(properties=extra_params)
+
+    assert not response['features']
+
+
 @pytest.fixture()
 def database_connection_pool(config_db_conn):
     os.environ["ORACLE_POOL_MIN"] = "2"  # noqa: F841