Fix non-owner can update artifact (#5635)

app/src/main/java/io/apicurio/registry/rest/v2/GroupsResourceImpl.java

@@ -1162,7 +1162,11 @@ private ArtifactMetaData handleIfExistsReturnOrUpdate(String groupId, String art
         return updateArtifactInternal(groupId, artifactId, version, artifactName, artifactDescription, content, contentType, references);
     }
 
-    private ArtifactMetaData updateArtifactInternal(String groupId, String artifactId, String version,
+    /**
+     * Internally updates the artifact. This method has to be annotated with @Authorized because it's used by the ifExists feature. This has been refactored in 3.0.
+     */
+    @Authorized(style = AuthorizedStyle.GroupAndArtifact, level = AuthorizedLevel.Write)
+    protected ArtifactMetaData updateArtifactInternal(String groupId, String artifactId, String version,
                                                     String name, String description,
                                                     ContentHandle content, String contentType, List<ArtifactReference> references) {
 

app/src/test/java/io/apicurio/registry/auth/SimpleAuthTest.java

@@ -256,6 +256,11 @@ public void testOwnerOnlyAuthorization() throws Exception {
             clientDev.updateArtifactMetaData(groupId, artifactId, updatedMetaData);
         });
 
+        // Dev user cannot update with ifExists the same artifact because Dev user is not the owner
+        Assertions.assertThrows(ForbiddenException.class, () -> {
+            clientDev.createArtifact(groupId, artifactId, ArtifactType.JSON, IfExists.RETURN_OR_UPDATE, new ByteArrayInputStream("{fffff}".getBytes()));
+        });
+
         // But the admin user CAN make the change.
         clientAdmin.updateArtifactMetaData(groupId, artifactId, updatedMetaData);