colin
/
sharded-gotify
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Prevent setting id while inserting / updating applications

This commit is contained in:
mateuscelio 2022-07-24 05:48:14 -03:00 committed by GitHub
parent 0d18b421e1
commit f16ce59e6c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 94 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
api/application.go
View File

@ -29,6 +29,23 @@ type ApplicationAPI struct {
ImageDir string ImageDir string
} }
// Application Params Model
//
// Params allowed to create or update Applications
//
// swagger:model ApplicationParams
type ApplicationParams struct {
// The application name. This is how the application should be displayed to the user.
//
// required: true
// example: Backup Server
Name string `form:"name" query:"name" json:"name" binding:"required"`
// The description of the application.
//
// example: Backup server for the interwebs
Description string `form:"description" query:"description" json:"description"`
}
// CreateApplication creates an application and returns the access token. // CreateApplication creates an application and returns the access token.
// swagger:operation POST /application application createApp // swagger:operation POST /application application createApp
// //
@ -44,7 +61,7 @@ type ApplicationAPI struct {
// description: the application to add // description: the application to add
// required: true // required: true
// schema: // schema:
// $ref: "#/definitions/Application" // $ref: "#/definitions/ApplicationParams"
// responses: // responses:
// 200: // 200:
// description: Ok // description: Ok
@ -63,11 +80,16 @@ type ApplicationAPI struct {
// schema: // schema:
// $ref: "#/definitions/Error" // $ref: "#/definitions/Error"
func (a *ApplicationAPI) CreateApplication(ctx *gin.Context) { func (a *ApplicationAPI) CreateApplication(ctx *gin.Context) {
app := model.Application{} applicationParams := ApplicationParams{}
if err := ctx.Bind(&app); err == nil { if err := ctx.Bind(&applicationParams); err == nil {
app.Token = auth.GenerateNotExistingToken(generateApplicationToken, a.applicationExists) app := model.Application{
app.UserID = auth.GetUserID(ctx) Name: applicationParams.Name,
app.Internal = false Description: applicationParams.Description,
Token: auth.GenerateNotExistingToken(generateApplicationToken, a.applicationExists),
UserID: auth.GetUserID(ctx),
Internal: false,
}
if success := successOrAbort(ctx, 500, a.DB.CreateApplication(&app)); !success { if success := successOrAbort(ctx, 500, a.DB.CreateApplication(&app)); !success {
return return
} }
@ -184,7 +206,7 @@ func (a *ApplicationAPI) DeleteApplication(ctx *gin.Context) {
// description: the application to update // description: the application to update
// required: true // required: true
// schema: // schema:
// $ref: "#/definitions/Application" // $ref: "#/definitions/ApplicationParams"
// - name: id // - name: id
// in: path // in: path
// description: the application id // description: the application id
@ -219,10 +241,10 @@ func (a *ApplicationAPI) UpdateApplication(ctx *gin.Context) {
return return
} }
if app != nil && app.UserID == auth.GetUserID(ctx) { if app != nil && app.UserID == auth.GetUserID(ctx) {
newValues := &model.Application{} applicationParams := ApplicationParams{}
if err := ctx.Bind(newValues); err == nil { if err := ctx.Bind(&applicationParams); err == nil {
app.Description = newValues.Description app.Description = applicationParams.Description
app.Name = newValues.Name app.Name = applicationParams.Name
if success := successOrAbort(ctx, 500, a.DB.UpdateApplication(app)); !success { if success := successOrAbort(ctx, 500, a.DB.UpdateApplication(app)); !success {
return return

36
api/application_test.go
View File

@ -2,6 +2,7 @@ package api
import ( import (
"bytes" "bytes"
"encoding/json"
"errors" "errors"
"io" "io"
"io/ioutil" "io/ioutil"
@ -107,6 +108,35 @@ func (s *ApplicationSuite) Test_CreateApplication_expectBadRequestOnEmptyName()
} }
} }
func (s *ApplicationSuite) Test_CreateApplication_ignoresReadOnlyPropertiesInParams() {
s.db.User(5)
test.WithUser(s.ctx, 5)
s.withJSON(&model.Application{
Name: "name",
Description: "description",
ID: 333,
Internal: true,
Token: "token",
Image: "adfdf",
})
s.a.CreateApplication(s.ctx)
expectedJSONValue, _ := json.Marshal(&model.Application{
ID: 1,
Token: firstApplicationToken,
UserID: 5,
Name: "name",
Description: "description",
Internal: false,
Image: "static/defaultapp.png",
})
assert.Equal(s.T(), 200, s.recorder.Code)
assert.Equal(s.T(), string(expectedJSONValue), s.recorder.Body.String())
}
func (s *ApplicationSuite) Test_DeleteApplication_expectNotFoundOnCurrentUserIsNotOwner() { func (s *ApplicationSuite) Test_DeleteApplication_expectNotFoundOnCurrentUserIsNotOwner() {
s.db.User(2) s.db.User(2)
s.db.User(5).App(5) s.db.User(5).App(5)
@ -505,6 +535,12 @@ func (s *ApplicationSuite) withFormData(formData string) {
s.ctx.Request.Header.Set("Content-Type", "application/x-www-form-urlencoded") s.ctx.Request.Header.Set("Content-Type", "application/x-www-form-urlencoded")
} }
func (s *ApplicationSuite) withJSON(value interface{}) {
jsonVal, _ := json.Marshal(value)
s.ctx.Request = httptest.NewRequest("POST", "/application", bytes.NewBuffer(jsonVal))
s.ctx.Request.Header.Set("Content-Type", "application/json")
}
// A modified version of https://stackoverflow.com/a/20397167/4244993 from Attila O. // A modified version of https://stackoverflow.com/a/20397167/4244993 from Attila O.
func upload(values map[string]*os.File) (contentType string, buffer bytes.Buffer, err error) { func upload(values map[string]*os.File) (contentType string, buffer bytes.Buffer, err error) {
w := multipart.NewWriter(&buffer) w := multipart.NewWriter(&buffer)

27
docs/spec.json
View File

@ -99,7 +99,7 @@
"in": "body", "in": "body",
"required": true, "required": true,
"schema": { "schema": {
"$ref": "#/definitions/Application" "$ref": "#/definitions/ApplicationParams"
} }
} }
], ],
@ -162,7 +162,7 @@
"in": "body", "in": "body",
"required": true, "required": true,
"schema": { "schema": {
"$ref": "#/definitions/Application" "$ref": "#/definitions/ApplicationParams"
} }
}, },
{ {
@ -1948,6 +1948,29 @@
}, },
"x-go-package": "github.com/gotify/server/v2/model" "x-go-package": "github.com/gotify/server/v2/model"
}, },
"ApplicationParams": {
"description": "Params allowed to create or update Applications",
"type": "object",
"title": "Application Params Model",
"required": [
"name"
],
"properties": {
"description": {
"description": "The description of the application.",
"type": "string",
"x-go-name": "Description",
"example": "Backup server for the interwebs"
},
"name": {
"description": "The application name. This is how the application should be displayed to the user.",
"type": "string",
"x-go-name": "Name",
"example": "Backup Server"
}
},
"x-go-package": "github.com/gotify/server/v2/api"
},
"Client": { "Client": {
"description": "The Client holds information about a device which can receive notifications (and other stuff).", "description": "The Client holds information about a device which can receive notifications (and other stuff).",
"type": "object", "type": "object",