Merged 5.2.N (5.2.1) to HEAD (5.2)

131408 mward: REPO-1348/REPO-1349: implemented checks to guard against invalid fields Explicitly rejects fields: id, guid and role git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@132257 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
2025-08-14 17:58:59 +00:00 · 2016-11-03 13:51:00 +00:00
parent b3379f798e
commit ed96d6387c
2 changed files with 57 additions and 1 deletions
--- a/source/java/org/alfresco/rest/api/sites/SiteEntityResource.java
+++ b/source/java/org/alfresco/rest/api/sites/SiteEntityResource.java
@@ -133,10 +133,28 @@ public class SiteEntityResource implements EntityResourceAction.Read<Site>,
    @WebApiDescription(title="Update site", description="Update the Share site")
    public Site update(String siteId, Site site, Parameters parameters)
    {
+        // Until REPO-110 is solved, we need to explicitly test for the presence of fields
+        // on the Site object that aren't valid SiteUpdate fields. Once REPO-110 is solved,
+        // the update method will take a SiteUpdate as a parameter rather than a Site
+        // and only the correct fields will be exposed. Any attempt to access illegal fields
+        // should then result in the framework returning a 400 automatically.
+        if (site.getId() != null)
+        {
+            throw new InvalidArgumentException("Site update does not support field: id");
+        }
+        if (site.getGuid() != null)
+        {
+            throw new InvalidArgumentException("Site update does not support field: guid");
+        }
+        if (site.getRole() != null)
+        {
+            throw new InvalidArgumentException("Site update does not support field: role");
+        }
+
+        // Bind valid fields to a SiteUpdate instance.
        final String title = site.getTitle();
        final String description = site.getDescription();
        final SiteVisibility visibility = site.getVisibility();
-
        SiteUpdate update = new SiteUpdate(title, description, visibility);

        return sites.updateSite(siteId, update, parameters);
--- a/source/test-java/org/alfresco/rest/api/tests/TestSites.java
+++ b/source/test-java/org/alfresco/rest/api/tests/TestSites.java
@@ -657,6 +657,44 @@ public class TestSites extends EnterpriseTestApi
                    null,
                    "Expected 400 response when updating "+site.getSiteId(), 400);

+            // Invalid fields
+            // Check that id, guid and role are not silently ignored. This is until REPO-110
+            // is implemented, since we currently have to bind to Site rather than SiteUpdate in
+            // SiteEntityResource.update
+            sitesProxy.update(
+                    "sites",
+                    site.getSiteId(),
+                    null,
+                    null,
+                    "{\n" +
+                    "  \"id\": \"a-new-id\"," +
+                    "  \"title\": \"Updated Title\"\n" +
+                    "}",
+                    null,
+                    "Expected 400 response when updating "+site.getSiteId(), 400);
+
+            sitesProxy.update(
+                    "sites",
+                    site.getSiteId(),
+                    null,
+                    null,
+                    "{\n" +
+                    "  \"guid\": \"76ba60c1-f05b-406a-86a4-4eeb1bb49aaa\"" +
+                    "}",
+                    null,
+                    "Expected 400 response when updating "+site.getSiteId(), 400);
+
+            sitesProxy.update(
+                    "sites",
+                    site.getSiteId(),
+                    null,
+                    null,
+                    "{\n" +
+                    "  \"role\": \"SiteConsumer\"" +
+                    "}",
+                    null,
+                    "Expected 400 response when updating "+site.getSiteId(), 400);
+
            // Details should not have changed.
            Site fresh = sitesProxy.getSite(site.getSiteId(), 200);
            site.expected(fresh);