From 2cb050ef8313f3eeaaaf3e265ea9a3cc49b4cb93 Mon Sep 17 00:00:00 2001 From: Aaron Klish Date: Wed, 18 Sep 2019 20:28:53 -0500 Subject: [PATCH 1/3] Fix bug in GraphQL where we add the parent relationship during an UPDATE request --- .../com/yahoo/elide/core/PersistentResource.java | 13 +++++++++---- .../elide/graphql/PersistentResourceFetcher.java | 4 +++- pom.xml | 2 +- 3 files changed, 13 insertions(+), 6 deletions(-) diff --git a/elide-core/src/main/java/com/yahoo/elide/core/PersistentResource.java b/elide-core/src/main/java/com/yahoo/elide/core/PersistentResource.java index 69aefebe5c..4ba7659a7f 100644 --- a/elide-core/src/main/java/com/yahoo/elide/core/PersistentResource.java +++ b/elide-core/src/main/java/com/yahoo/elide/core/PersistentResource.java @@ -95,6 +95,14 @@ public String toString() { return String.format("PersistentResource{type=%s, id=%s}", type, uuid.orElse(getId())); } + /** + * Returns whether this persistent resource was created in the current transaction. + * @return true if this resources is newly created. False otherwise. + */ + public boolean isNewlyCreated() { + return requestScope.getNewPersistentResources().contains(this); + } + /** * Create a resource in the database. * @param parent - The immediate ancestor in the lineage or null if this is a root. @@ -1270,8 +1278,6 @@ protected Map getAttributes() { */ protected void setValueChecked(String fieldName, Object newValue) { Object existingValue = getValueUnchecked(fieldName); - ChangeSpec spec = new ChangeSpec(this, fieldName, existingValue, newValue); - boolean isNewlyCreated = requestScope.getNewPersistentResources().contains(this); // TODO: Need to refactor this logic. For creates this is properly converted in the executor. This logic // should be explicitly encapsulated here, not there. @@ -1587,8 +1593,7 @@ protected Set filterFields(Collection fields) { */ private void triggerUpdate(String fieldName, Object original, Object value) { ChangeSpec changeSpec = new ChangeSpec(this, fieldName, original, value); - boolean isNewlyCreated = requestScope.getNewPersistentResources().contains(this); - CRUDEvent.CRUDAction action = isNewlyCreated + CRUDEvent.CRUDAction action = isNewlyCreated() ? CRUDEvent.CRUDAction.CREATE : CRUDEvent.CRUDAction.UPDATE; diff --git a/elide-graphql/src/main/java/com/yahoo/elide/graphql/PersistentResourceFetcher.java b/elide-graphql/src/main/java/com/yahoo/elide/graphql/PersistentResourceFetcher.java index fbec5c1aa6..1ea7bb5096 100644 --- a/elide-graphql/src/main/java/com/yahoo/elide/graphql/PersistentResourceFetcher.java +++ b/elide-graphql/src/main/java/com/yahoo/elide/graphql/PersistentResourceFetcher.java @@ -298,7 +298,9 @@ private ConnectionContainer upsertOrUpdateObjects(Environment context, /* fixup relationships */ for (Entity entity : entitySet) { graphWalker(entity, this::updateRelationship); - if (!context.isRoot()) { /* add relation between parent and nested entity */ + PersistentResource childResource = entity.toPersistentResource(); + if (!context.isRoot() && childResource.isNewlyCreated()) { + /* add relation between parent and nested entity */ context.parentResource.addRelation(context.field.getName(), entity.toPersistentResource()); } } diff --git a/pom.xml b/pom.xml index 3793074854..bea8e96bf5 100644 --- a/pom.xml +++ b/pom.xml @@ -510,7 +510,7 @@ dependency-check-maven 5.0.0 - 6 + 9 true false From 52d3529ca2393eb521f6526b1771107e4ea626b9 Mon Sep 17 00:00:00 2001 From: Aaron Klish Date: Thu, 19 Sep 2019 11:58:41 -0500 Subject: [PATCH 2/3] Reverting owasp check back to level 6 --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 59fdf770bf..599f955ba1 100644 --- a/pom.xml +++ b/pom.xml @@ -510,7 +510,7 @@ dependency-check-maven 5.0.0 - 9 + 6 true false suppressions.xml From 7910119e090f97b833451f98708fe595c1339631 Mon Sep 17 00:00:00 2001 From: Aaron Klish Date: Thu, 19 Sep 2019 14:13:09 -0500 Subject: [PATCH 3/3] Inspection rework --- .../com/yahoo/elide/security/PersistentResource.java | 8 ++++++++ .../java/com/yahoo/elide/core/PersistentResource.java | 10 +--------- .../security/executors/ActivePermissionExecutor.java | 2 +- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/elide-annotations/src/main/java/com/yahoo/elide/security/PersistentResource.java b/elide-annotations/src/main/java/com/yahoo/elide/security/PersistentResource.java index b05663f07f..557e24c673 100644 --- a/elide-annotations/src/main/java/com/yahoo/elide/security/PersistentResource.java +++ b/elide-annotations/src/main/java/com/yahoo/elide/security/PersistentResource.java @@ -22,4 +22,12 @@ public interface PersistentResource { T getObject(); Class getResourceClass(); RequestScope getRequestScope(); + + /** + * Returns whether or not this resource was created in this transaction. + * @return True if this resource is newly created. + */ + default boolean isNewlyCreated() { + return getRequestScope().getNewResources().contains(this); + } } diff --git a/elide-core/src/main/java/com/yahoo/elide/core/PersistentResource.java b/elide-core/src/main/java/com/yahoo/elide/core/PersistentResource.java index 4ba7659a7f..da37a5eb06 100644 --- a/elide-core/src/main/java/com/yahoo/elide/core/PersistentResource.java +++ b/elide-core/src/main/java/com/yahoo/elide/core/PersistentResource.java @@ -95,15 +95,7 @@ public String toString() { return String.format("PersistentResource{type=%s, id=%s}", type, uuid.orElse(getId())); } - /** - * Returns whether this persistent resource was created in the current transaction. - * @return true if this resources is newly created. False otherwise. - */ - public boolean isNewlyCreated() { - return requestScope.getNewPersistentResources().contains(this); - } - - /** + /** * Create a resource in the database. * @param parent - The immediate ancestor in the lineage or null if this is a root. * @param entityClass the entity class diff --git a/elide-core/src/main/java/com/yahoo/elide/security/executors/ActivePermissionExecutor.java b/elide-core/src/main/java/com/yahoo/elide/security/executors/ActivePermissionExecutor.java index 502819828e..7266d5bcc9 100644 --- a/elide-core/src/main/java/com/yahoo/elide/security/executors/ActivePermissionExecutor.java +++ b/elide-core/src/main/java/com/yahoo/elide/security/executors/ActivePermissionExecutor.java @@ -126,7 +126,7 @@ public ExpressionResult checkPermission(Class annotati Function expressionExecutor = (expression) -> { // for newly created object in PatchRequest limit to User checks - if (requestScope.getNewPersistentResources().contains(resource)) { + if (resource.isNewlyCreated()) { return executeUserChecksDeferInline(annotationClass, expression); } return executeExpressions(expression, annotationClass, Expression.EvaluationMode.INLINE_CHECKS_ONLY);