From 64e3676b87ee9fd36c17ca56980ea32f02b1f468 Mon Sep 17 00:00:00 2001 From: Jordi Masip Date: Mon, 12 Dec 2022 14:55:31 +0100 Subject: [PATCH] Fix not checking if the ID is valid when duplicating a resource --- CHANGELOG.rst | 2 ++ guillotina/content.py | 4 ++++ guillotina/tests/test_api.py | 7 +++++++ 3 files changed, 13 insertions(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 7b483d1ad..44f837629 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -4,6 +4,8 @@ CHANGELOG 6.5.0 (unreleased) ------------------ +- Fix not checking if the ID is valid when duplicating a resource + [masipcat] - Fix content.async_get() catches KeyError exceptions unrelated to txn.get_child() - Deps: replace aioredis with redis-py - Deps: updated flake8 so it won't depend on 'importlib-metadata<5' diff --git a/guillotina/content.py b/guillotina/content.py index 911d89ce2..f43dc5c20 100644 --- a/guillotina/content.py +++ b/guillotina/content.py @@ -710,6 +710,10 @@ async def duplicate( count += 1 new_id = f"{context.id}-duplicate-{count}" + id_checker = get_adapter(context, IIDChecker) + if not isinstance(new_id, str) or not await id_checker(new_id, context.type_name): + raise PreconditionFailed(new_id, "Invalid id") + from guillotina.content import create_content_in_container creators = context.creators diff --git a/guillotina/tests/test_api.py b/guillotina/tests/test_api.py index 1cb16b62d..cd6b9493a 100644 --- a/guillotina/tests/test_api.py +++ b/guillotina/tests/test_api.py @@ -609,6 +609,13 @@ async def test_duplicate_content(container_requester): ) folder_uid = response["@uid"] + _, status = await requester( + "POST", + "/db/guillotina/foobar1/@duplicate", + data=json.dumps({"new_id": "inva/id_path", "destination": "/folder"}), + ) + assert status == 412 + await requester( "POST", "/db/guillotina/foobar1/@duplicate",