From a9249bbd28e3ede5180c7a088453f4e3e6518c4a Mon Sep 17 00:00:00 2001
From: Jannis Mattheis <contact@jmattheis.de>
Date: Tue, 23 Jun 2020 17:01:28 +0200
Subject: [PATCH] Don't use id provided from POST /message api

---
 api/message.go      |  1 +
 api/message_test.go | 17 +++++++++++++++++
 2 files changed, 18 insertions(+)

diff --git a/api/message.go b/api/message.go
index 3d64882..b89989c 100644
--- a/api/message.go
+++ b/api/message.go
@@ -367,6 +367,7 @@ func (a *MessageAPI) CreateMessage(ctx *gin.Context) {
 			message.Title = application.Name
 		}
 		message.Date = timeNow()
+		message.ID = 0
 		msgInternal := toInternalMessage(&message)
 		if success := successOrAbort(ctx, 500, a.DB.CreateMessage(msgInternal)); !success {
 			return
diff --git a/api/message_test.go b/api/message_test.go
index 6376981..a127cbb 100644
--- a/api/message_test.go
+++ b/api/message_test.go
@@ -408,6 +408,23 @@ func (s *MessageSuite) Test_CreateMessage_WithBlankTitle() {
 	assert.Equal(s.T(), 200, s.recorder.Code)
 	assert.Equal(s.T(), "mymessage", msgs[0].Message)
 }
+
+func (s *MessageSuite) Test_CreateMessage_IgnoreID() {
+	auth.RegisterAuthentication(s.ctx, nil, 4, "app-token")
+	s.db.User(4).AppWithTokenAndName(8, "app-token", "Application name")
+
+	s.ctx.Request = httptest.NewRequest("POST", "/message", strings.NewReader(`{"message": "mymessage", "id": 1337}`))
+	s.ctx.Request.Header.Set("Content-Type", "application/json")
+
+	s.a.CreateMessage(s.ctx)
+
+	msgs, err := s.db.GetMessagesByApplication(8)
+	assert.NoError(s.T(), err)
+	assert.Len(s.T(), msgs, 1)
+	assert.NotEqual(s.T(), msgs[0].ID, uint(1337))
+	assert.Equal(s.T(), 200, s.recorder.Code)
+}
+
 func (s *MessageSuite) Test_CreateMessage_WithExtras() {
 	auth.RegisterAuthentication(s.ctx, nil, 4, "app-token")
 	s.db.User(4).AppWithTokenAndName(8, "app-token", "Application name")