fix: Check Asset labelIds for invalid values (NUWCDIVNPT#1154)

* check that labelId is associated with specified collection * throw specific error when invalid labelId is supplied * used wrong collectionId * use label projection in existing getCollection call, rather than specifically calling another service method to look for label * tests for invalid asset labels
cd-rite · Nov 22, 2023 · 1f7fe2b · 1f7fe2b
1 parent c679109
commit 1f7fe2b
Show file tree

Hide file tree

Showing 3 changed files with 563 additions and 4 deletions.
diff --git a/api/source/controllers/Collection.js b/api/source/controllers/Collection.js
@@ -627,7 +627,12 @@ module.exports.putAssetsByCollectionLabelId = async function (req, res, next) {
     const collectionId = getCollectionIdAndCheckPermission(req)
     const labelId = req.params.labelId
     const assetIds = req.body
-    let collection = await CollectionService.getCollection( collectionId, ['assets'], false, req.userObject)
+    let collection = await CollectionService.getCollection( collectionId, ['assets','labels'], false, req.userObject)
+
+    if (!collection.labels.find( l => l.labelId === labelId)) {
+      throw new SmError.PrivilegeError('The labelId is not associated with this Collection.')
+    }
+
     let collectionAssets = collection.assets.map( a => a.assetId)
     if (assetIds.every( a => collectionAssets.includes(a))) {
       await CollectionService.putAssetsByCollectionLabelId( collectionId, labelId, assetIds, res.svcStatus )

diff --git a/api/source/service/mysql/AssetService.js b/api/source/service/mysql/AssetService.js
@@ -439,8 +439,8 @@ exports.addOrUpdateAsset = async function ( {writeAction, assetId, body, project
               FROM
                 collection_label
               WHERE
-                uuid IN (?)`
-          await connection.query(sqlInsertLabels, [assetId, uuidBinds])
+                uuid IN (?) and collectionId = ?`
+          await connection.query(sqlInsertLabels, [assetId, uuidBinds, assetFields.collectionId])
         }
       }