diff --git a/app/src/main/java/io/apicurio/registry/rest/v2/GroupsResourceImpl.java b/app/src/main/java/io/apicurio/registry/rest/v2/GroupsResourceImpl.java index d829201d42..f06eab6775 100644 --- a/app/src/main/java/io/apicurio/registry/rest/v2/GroupsResourceImpl.java +++ b/app/src/main/java/io/apicurio/registry/rest/v2/GroupsResourceImpl.java @@ -1162,7 +1162,11 @@ private ArtifactMetaData handleIfExistsReturnOrUpdate(String groupId, String art return updateArtifactInternal(groupId, artifactId, version, artifactName, artifactDescription, content, contentType, references); } - private ArtifactMetaData updateArtifactInternal(String groupId, String artifactId, String version, + /** + * Internally updates the artifact. This method has to be annotated with @Authorized because it's used by the ifExists feature. This has been refactored in 3.0. + */ + @Authorized(style = AuthorizedStyle.GroupAndArtifact, level = AuthorizedLevel.Write) + protected ArtifactMetaData updateArtifactInternal(String groupId, String artifactId, String version, String name, String description, ContentHandle content, String contentType, List references) { diff --git a/app/src/test/java/io/apicurio/registry/auth/SimpleAuthTest.java b/app/src/test/java/io/apicurio/registry/auth/SimpleAuthTest.java index 1d3fc03880..ef72c81d65 100644 --- a/app/src/test/java/io/apicurio/registry/auth/SimpleAuthTest.java +++ b/app/src/test/java/io/apicurio/registry/auth/SimpleAuthTest.java @@ -256,6 +256,11 @@ public void testOwnerOnlyAuthorization() throws Exception { clientDev.updateArtifactMetaData(groupId, artifactId, updatedMetaData); }); + // Dev user cannot update with ifExists the same artifact because Dev user is not the owner + Assertions.assertThrows(ForbiddenException.class, () -> { + clientDev.createArtifact(groupId, artifactId, ArtifactType.JSON, IfExists.RETURN_OR_UPDATE, new ByteArrayInputStream("{fffff}".getBytes())); + }); + // But the admin user CAN make the change. clientAdmin.updateArtifactMetaData(groupId, artifactId, updatedMetaData);