Verify that key values are not changed on update

2025-11-12 08:25:44 +01:00 · 2018-07-05 13:19:49 +02:00
parent 0bbc58b978
commit b6c618b0b0
4 changed files with 31 additions and 4 deletions
--- a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/IdResourceManagerAdapter.java
+++ b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/IdResourceManagerAdapter.java
@@ -34,7 +34,11 @@ class IdResourceManagerAdapter<MODEL_OBJECT extends ModelObject,
  }

  public Response update(String id, Function<MODEL_OBJECT, MODEL_OBJECT> applyChanges) {
-    return singleAdapter.update(() -> manager.get(id), applyChanges);
+    return singleAdapter.update(
+      () -> manager.get(id),
+      applyChanges,
+      changed -> changed.getId().equals(id)
+    );
  }

  public Response getAll(int page, int pageSize, String sortBy, boolean desc, Function<PageResult<MODEL_OBJECT>, CollectionDto> mapToDto) {
--- a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/RepositoryResource.java
+++ b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/RepositoryResource.java
@@ -94,7 +94,8 @@ public class RepositoryResource {
  public Response update(@PathParam("namespace") String namespace, @PathParam("name") String name, RepositoryDto repositoryDto) {
    return adapter.update(
      () -> manager.getByNamespace(namespace, name),
-      existing -> dtoToRepositoryMapper.map(repositoryDto, existing.getId())
+      existing -> dtoToRepositoryMapper.map(repositoryDto, existing.getId()),
+      changed -> changed.getName().equals(name) && changed.getNamespace().equals(namespace)
    );
  }

--- a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/SingleResourceManagerAdapter.java
+++ b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/SingleResourceManagerAdapter.java
@@ -9,6 +9,7 @@ import javax.ws.rs.core.GenericEntity;
 import javax.ws.rs.core.Response;
 import java.util.Collection;
 import java.util.function.Function;
+import java.util.function.Predicate;
 import java.util.function.Supplier;

 import static javax.ws.rs.core.Response.Status.BAD_REQUEST;
@@ -48,13 +49,13 @@ class SingleResourceManagerAdapter<MODEL_OBJECT extends ModelObject,
   * Update the model object for the given id according to the given function and returns a corresponding http response.
   * This handles all corner cases, eg. no matching object for the id or missing privileges.
   */
-  public Response update(Supplier<MODEL_OBJECT> reader, Function<MODEL_OBJECT, MODEL_OBJECT> applyChanges) {
+  public Response update(Supplier<MODEL_OBJECT> reader, Function<MODEL_OBJECT, MODEL_OBJECT> applyChanges, Predicate<MODEL_OBJECT> hasSameKey) {
    MODEL_OBJECT existingModelObject = reader.get();
    if (existingModelObject == null) {
      return Response.status(Response.Status.NOT_FOUND).build();
    }
    MODEL_OBJECT changedModelObject = applyChanges.apply(existingModelObject);
-    if (!getId(existingModelObject).equals(getId(changedModelObject))) {
+    if (!hasSameKey.test(changedModelObject)) {
      return Response.status(BAD_REQUEST).entity("illegal change of id").build();
    }
    return update(getId(existingModelObject), changedModelObject);