From ba33a435d43997c68175e922bccf0b204d977526 Mon Sep 17 00:00:00 2001 From: Matt Ward Date: Thu, 13 Oct 2016 16:19:00 +0000 Subject: [PATCH] REPO-1348/REPO-1349: implemented checks to guard against invalid fields Explicitly rejects fields: id, guid and role git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/BRANCHES/DEV/5.2.N/root@131408 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261 --- .../rest/api/sites/SiteEntityResource.java | 20 +++++++++- .../alfresco/rest/api/tests/TestSites.java | 38 +++++++++++++++++++ 2 files changed, 57 insertions(+), 1 deletion(-) diff --git a/source/java/org/alfresco/rest/api/sites/SiteEntityResource.java b/source/java/org/alfresco/rest/api/sites/SiteEntityResource.java index 65052574b3..6e58b06826 100644 --- a/source/java/org/alfresco/rest/api/sites/SiteEntityResource.java +++ b/source/java/org/alfresco/rest/api/sites/SiteEntityResource.java @@ -133,10 +133,28 @@ public class SiteEntityResource implements EntityResourceAction.Read, @WebApiDescription(title="Update site", description="Update the Share site") public Site update(String siteId, Site site, Parameters parameters) { + // Until REPO-110 is solved, we need to explicitly test for the presence of fields + // on the Site object that aren't valid SiteUpdate fields. Once REPO-110 is solved, + // the update method will take a SiteUpdate as a parameter rather than a Site + // and only the correct fields will be exposed. Any attempt to access illegal fields + // should then result in the framework returning a 400 automatically. + if (site.getId() != null) + { + throw new InvalidArgumentException("Site update does not support field: id"); + } + if (site.getGuid() != null) + { + throw new InvalidArgumentException("Site update does not support field: guid"); + } + if (site.getRole() != null) + { + throw new InvalidArgumentException("Site update does not support field: role"); + } + + // Bind valid fields to a SiteUpdate instance. final String title = site.getTitle(); final String description = site.getDescription(); final SiteVisibility visibility = site.getVisibility(); - SiteUpdate update = new SiteUpdate(title, description, visibility); return sites.updateSite(siteId, update, parameters); diff --git a/source/test-java/org/alfresco/rest/api/tests/TestSites.java b/source/test-java/org/alfresco/rest/api/tests/TestSites.java index b978c441e3..eefe5d473d 100644 --- a/source/test-java/org/alfresco/rest/api/tests/TestSites.java +++ b/source/test-java/org/alfresco/rest/api/tests/TestSites.java @@ -657,6 +657,44 @@ public class TestSites extends EnterpriseTestApi null, "Expected 400 response when updating "+site.getSiteId(), 400); + // Invalid fields + // Check that id, guid and role are not silently ignored. This is until REPO-110 + // is implemented, since we currently have to bind to Site rather than SiteUpdate in + // SiteEntityResource.update + sitesProxy.update( + "sites", + site.getSiteId(), + null, + null, + "{\n" + + " \"id\": \"a-new-id\"," + + " \"title\": \"Updated Title\"\n" + + "}", + null, + "Expected 400 response when updating "+site.getSiteId(), 400); + + sitesProxy.update( + "sites", + site.getSiteId(), + null, + null, + "{\n" + + " \"guid\": \"76ba60c1-f05b-406a-86a4-4eeb1bb49aaa\"" + + "}", + null, + "Expected 400 response when updating "+site.getSiteId(), 400); + + sitesProxy.update( + "sites", + site.getSiteId(), + null, + null, + "{\n" + + " \"role\": \"SiteConsumer\"" + + "}", + null, + "Expected 400 response when updating "+site.getSiteId(), 400); + // Details should not have changed. Site fresh = sitesProxy.getSite(site.getSiteId(), 200); site.expected(fresh);