Merged 5.2.N (5.2.1) to HEAD (5.2)

131408 mward: REPO-1348/REPO-1349: implemented checks to guard against invalid fields
   Explicitly rejects fields: id, guid and role


git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@132257 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261

source/java/org/alfresco/rest/api/sites/SiteEntityResource.java

@@ -133,10 +133,28 @@ public class SiteEntityResource implements EntityResourceAction.Read<Site>,
     @WebApiDescription(title="Update site", description="Update the Share site")
     public Site update(String siteId, Site site, Parameters parameters)
     {
+        // Until REPO-110 is solved, we need to explicitly test for the presence of fields
+        // on the Site object that aren't valid SiteUpdate fields. Once REPO-110 is solved,
+        // the update method will take a SiteUpdate as a parameter rather than a Site
+        // and only the correct fields will be exposed. Any attempt to access illegal fields
+        // should then result in the framework returning a 400 automatically.
+        if (site.getId() != null)
+        {
+            throw new InvalidArgumentException("Site update does not support field: id");
+        }
+        if (site.getGuid() != null)
+        {
+            throw new InvalidArgumentException("Site update does not support field: guid");
+        }
+        if (site.getRole() != null)
+        {
+            throw new InvalidArgumentException("Site update does not support field: role");
+        }
+
+        // Bind valid fields to a SiteUpdate instance.
         final String title = site.getTitle();
         final String description = site.getDescription();
         final SiteVisibility visibility = site.getVisibility();
-
         SiteUpdate update = new SiteUpdate(title, description, visibility);
 
         return sites.updateSite(siteId, update, parameters);

source/test-java/org/alfresco/rest/api/tests/TestSites.java

@@ -657,6 +657,44 @@ public class TestSites extends EnterpriseTestApi
                     null,
                     "Expected 400 response when updating "+site.getSiteId(), 400);
 
+            // Invalid fields
+            // Check that id, guid and role are not silently ignored. This is until REPO-110
+            // is implemented, since we currently have to bind to Site rather than SiteUpdate in
+            // SiteEntityResource.update
+            sitesProxy.update(
+                    "sites",
+                    site.getSiteId(),
+                    null,
+                    null,
+                    "{\n" +
+                    "  \"id\": \"a-new-id\"," +
+                    "  \"title\": \"Updated Title\"\n" +
+                    "}",
+                    null,
+                    "Expected 400 response when updating "+site.getSiteId(), 400);
+
+            sitesProxy.update(
+                    "sites",
+                    site.getSiteId(),
+                    null,
+                    null,
+                    "{\n" +
+                    "  \"guid\": \"76ba60c1-f05b-406a-86a4-4eeb1bb49aaa\"" +
+                    "}",
+                    null,
+                    "Expected 400 response when updating "+site.getSiteId(), 400);
+
+            sitesProxy.update(
+                    "sites",
+                    site.getSiteId(),
+                    null,
+                    null,
+                    "{\n" +
+                    "  \"role\": \"SiteConsumer\"" +
+                    "}",
+                    null,
+                    "Expected 400 response when updating "+site.getSiteId(), 400);
+
             // Details should not have changed.
             Site fresh = sitesProxy.getSite(site.getSiteId(), 200);
             site.expected(fresh);