Reject permission requests with missing permissions

2025-11-12 08:25:44 +01:00 · 2019-05-20 14:30:57 +02:00
parent 661e935209
commit af468898b9
2 changed files with 5 additions and 1 deletions
--- a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/PermissionListDto.java
+++ b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/PermissionListDto.java
@@ -7,12 +7,15 @@ import lombok.Getter;
 import lombok.NoArgsConstructor;
 import lombok.Setter;
 import javax.validation.constraints.NotNull;
@Getter
@Setter
@AllArgsConstructor
@NoArgsConstructor
 public class PermissionListDto extends HalRepresentation {
  @NotNull
  private String[] permissions;
  @Override
--- a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/UserPermissionResource.java
+++ b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/UserPermissionResource.java
@@ -8,6 +8,7 @@ import sonia.scm.security.PermissionDescriptor;
 import sonia.scm.web.VndMediaType;
 import javax.inject.Inject;
 import javax.validation.Valid;
 import javax.ws.rs.Consumes;
 import javax.ws.rs.GET;
 import javax.ws.rs.PUT;
@@ -69,7 +70,7 @@ public class UserPermissionResource {
    @ResponseCode(code = 500, condition = "internal server error")
  })
  @TypeHint(TypeHint.NO_CONTENT.class)
-  public Response overwritePermissions(@PathParam("id") String id, PermissionListDto newPermissions) {
+  public Response overwritePermissions(@PathParam("id") String id, @Valid PermissionListDto newPermissions) {
    Collection<PermissionDescriptor> permissionDescriptors = Arrays.stream(newPermissions.getPermissions())
      .map(PermissionDescriptor::new)
      .collect(Collectors.toList());