From 6e3000700e300721c6b139541f7757158c8d3308 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oliver=20G=C3=BCnther?= Date: Mon, 25 Mar 2024 12:51:52 +0100 Subject: [PATCH] Do not expose updatedAt changing for admins in work packages The field may be updating due to external changes (causes, default values, rescheduling) --- .../work_packages/create_contract.rb | 2 +- config/locales/en.yml | 2 +- .../components/schemas/work_package_model.yml | 2 +- .../work_packages/create_contract_spec.rb | 2 +- .../create_service_integration_spec.rb | 29 ++++++++++++++----- 5 files changed, 25 insertions(+), 12 deletions(-) diff --git a/app/contracts/work_packages/create_contract.rb b/app/contracts/work_packages/create_contract.rb index e8086638b262..9c8c735e7ad9 100644 --- a/app/contracts/work_packages/create_contract.rb +++ b/app/contracts/work_packages/create_contract.rb @@ -31,7 +31,7 @@ module WorkPackages class CreateContract < BaseContract include AdminWritableTimestamps - allow_writable_timestamps + allow_writable_timestamps :created_at attribute :author_id, writable: -> { default_attributes_admin_writable? } diff --git a/config/locales/en.yml b/config/locales/en.yml index d0a8ec18b764..94721a3df2f0 100644 --- a/config/locales/en.yml +++ b/config/locales/en.yml @@ -2900,7 +2900,7 @@ Project attributes and sections are defined in the If enabled, the API will allow administrators to write static read-only attributes during creation, - such as createdAt and updatedAt timestamps. + such as createdAt and author.
Warning: This setting has a use-case for e.g., importing data, but allows administrators to impersonate the creation of items as other users. All creation requests are being diff --git a/docs/api/apiv3/components/schemas/work_package_model.yml b/docs/api/apiv3/components/schemas/work_package_model.yml index 0f364c55fb45..e6fdbe4f7948 100644 --- a/docs/api/apiv3/components/schemas/work_package_model.yml +++ b/docs/api/apiv3/components/schemas/work_package_model.yml @@ -109,7 +109,7 @@ properties: updatedAt: type: string format: date-time - description: Time of the most recent change to the work package. Can be writable by admins with the `apiv3_write_readonly_attributes` setting enabled. + description: Time of the most recent change to the work package. readOnly: true _links: type: object diff --git a/spec/contracts/work_packages/create_contract_spec.rb b/spec/contracts/work_packages/create_contract_spec.rb index 810bca17a333..4820e03b5823 100644 --- a/spec/contracts/work_packages/create_contract_spec.rb +++ b/spec/contracts/work_packages/create_contract_spec.rb @@ -161,7 +161,7 @@ let(:user) { build_stubbed(:admin) } it_behaves_like "can write", :created_at, 1.day.ago - it_behaves_like "can write", :updated_at, 1.day.ago + it_behaves_like "can not write", :updated_at, 1.day.ago it_behaves_like "can write", :author_id, 1234 end diff --git a/spec/services/work_packages/create_service_integration_spec.rb b/spec/services/work_packages/create_service_integration_spec.rb index 7c9b1373706c..5ff940d2c415 100644 --- a/spec/services/work_packages/create_service_integration_spec.rb +++ b/spec/services/work_packages/create_service_integration_spec.rb @@ -231,25 +231,41 @@ shared_let(:other_user) { create(:user) } let(:created_at) { 11.days.ago } - let(:updated_at) { 10.days.ago } let(:attributes) do { subject: "child", project:, author: other_user, - created_at:, - updated_at: + created_at: } end context "when enabled", with_settings: { apiv3_write_readonly_attributes: true } do - it "updates the timestamps correctly" do + it "sets created_at accordingly" do expect(service_result) .to be_success expect(new_work_package.created_at).to be_within(1.second).of(created_at) - expect(new_work_package.updated_at).to be_within(1.second).of(updated_at) + end + end + + context "when enabled, but disallowed field", with_settings: { apiv3_write_readonly_attributes: true } do + let(:attributes) do + { + subject: "child", + project:, + author: other_user, + updated_at: created_at + } + end + + it "rejects updated_at" do + expect(service_result) + .not_to be_success + + expect(new_work_package.errors.symbols_for(:updated_at)) + .to contain_exactly(:error_readonly) end end @@ -260,9 +276,6 @@ expect(new_work_package.errors.symbols_for(:created_at)) .to contain_exactly(:error_readonly) - - expect(new_work_package.errors.symbols_for(:updated_at)) - .to contain_exactly(:error_readonly) end end end