From f9776242734fbc1170b9215c0bc4b07c27333c35 Mon Sep 17 00:00:00 2001 From: Carles Arnal Date: Mon, 2 Dec 2024 15:11:19 +0100 Subject: [PATCH] Fix non-owner can update artifact (#5635) --- .../io/apicurio/registry/rest/v2/GroupsResourceImpl.java | 6 +++++- .../test/java/io/apicurio/registry/auth/SimpleAuthTest.java | 5 +++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/app/src/main/java/io/apicurio/registry/rest/v2/GroupsResourceImpl.java b/app/src/main/java/io/apicurio/registry/rest/v2/GroupsResourceImpl.java index d829201d42..f06eab6775 100644 --- a/app/src/main/java/io/apicurio/registry/rest/v2/GroupsResourceImpl.java +++ b/app/src/main/java/io/apicurio/registry/rest/v2/GroupsResourceImpl.java @@ -1162,7 +1162,11 @@ private ArtifactMetaData handleIfExistsReturnOrUpdate(String groupId, String art return updateArtifactInternal(groupId, artifactId, version, artifactName, artifactDescription, content, contentType, references); } - private ArtifactMetaData updateArtifactInternal(String groupId, String artifactId, String version, + /** + * Internally updates the artifact. This method has to be annotated with @Authorized because it's used by the ifExists feature. This has been refactored in 3.0. + */ + @Authorized(style = AuthorizedStyle.GroupAndArtifact, level = AuthorizedLevel.Write) + protected ArtifactMetaData updateArtifactInternal(String groupId, String artifactId, String version, String name, String description, ContentHandle content, String contentType, List references) { diff --git a/app/src/test/java/io/apicurio/registry/auth/SimpleAuthTest.java b/app/src/test/java/io/apicurio/registry/auth/SimpleAuthTest.java index 1d3fc03880..ef72c81d65 100644 --- a/app/src/test/java/io/apicurio/registry/auth/SimpleAuthTest.java +++ b/app/src/test/java/io/apicurio/registry/auth/SimpleAuthTest.java @@ -256,6 +256,11 @@ public void testOwnerOnlyAuthorization() throws Exception { clientDev.updateArtifactMetaData(groupId, artifactId, updatedMetaData); }); + // Dev user cannot update with ifExists the same artifact because Dev user is not the owner + Assertions.assertThrows(ForbiddenException.class, () -> { + clientDev.createArtifact(groupId, artifactId, ArtifactType.JSON, IfExists.RETURN_OR_UPDATE, new ByteArrayInputStream("{fffff}".getBytes())); + }); + // But the admin user CAN make the change. clientAdmin.updateArtifactMetaData(groupId, artifactId, updatedMetaData);