----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/74189/#review224938 -----------------------------------------------------------
security-admin/src/main/java/org/apache/ranger/rest/UserREST.java Lines 314 (patched) <https://reviews.apache.org/r/74189/#comment313780> To be consistent with other places, I suggest to handle changePassword.id == null as well, like: } else if (changePassword.getId() == null) { changePassword.setId(userId); } else if (!changePassword.getId().equals(userId)) { logger.warn("SECURITY:changePassword(): userId mismatch"); throw restErrorUtil.createRESTException("serverMsg.userRestUser",MessageEnums.DATA_NOT_FOUND, null, null,""); } security-admin/src/main/java/org/apache/ranger/rest/UserREST.java Lines 346 (patched) <https://reviews.apache.org/r/74189/#comment313781> To be consistent with other places, I suggest to handle changePassword.id == null as well, like: } else if (changeEmail.getId() == null) { changeEmail.setId(userId); } else if (!changeEmail.getId().equals(userId)) { logger.warn("SECURITY:changePassword(): userId mismatch"); throw restErrorUtil.createRESTException("serverMsg.userRestUser",MessageEnums.DATA_NOT_FOUND, null, null,""); } - Madhan Neethiraj On Nov. 29, 2022, 11:55 a.m., Ramachandran Krishnan wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/74189/ > ----------------------------------------------------------- > > (Updated Nov. 29, 2022, 11:55 a.m.) > > > Review request for ranger, Don Bosco Durai, Kirby Zhou, Abhay Kulkarni, > Madhan Neethiraj, Mehul Parikh, Nikhil P, Pradeep Agrawal, Ramesh Mani, > Selvamohan Neethiraj, Sailaja Polavarapu, Subhrat Chaudhary, and Velmurugan > Periasamy. > > > Bugs: RANGER-3883 > https://issues.apache.org/jira/browse/RANGER-3883 > > > Repository: ranger > > > Description > ------- > > When a POST request is made to the following APIs return 200 status code even > when the userId is invalid . > > When a POST/PUT request is made to the following APIs return 200 status code > even when the userId or id is invalid. > > Ranger is not honouring Id > /service/users/{USER_ID}/passwordchange > /service/users/{USER_ID}/emailchange > /assets/{id} > /permission/{id} > /services/{id} > /definitions/{id} > /secure/groups/{id} > /policies/{id} > > Ideally, the APIs must return 404 or Bad request(400) not found when using an > invalid userid or id in the URL > > But in this case, the POST/PUT request results in status code 200 instead of > 400 > > > Diffs > ----- > > security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java > a0ba3b750 > security-admin/src/main/java/org/apache/ranger/rest/PublicAPIs.java > 2e7e90bb4 > security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java > 293107f24 > security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java > 9bccf1089 > security-admin/src/main/java/org/apache/ranger/rest/UserREST.java 5fc18034b > security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java > dd12048ac > security-admin/src/test/java/org/apache/ranger/rest/TestAssetREST.java > abd4b1c1c > security-admin/src/test/java/org/apache/ranger/rest/TestPublicAPIs.java > 2bf5ee6c9 > security-admin/src/test/java/org/apache/ranger/rest/TestPublicAPIsv2.java > 1069f013d > security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java > 375135a5a > security-admin/src/test/java/org/apache/ranger/rest/TestUserREST.java > 48cd7face > security-admin/src/test/java/org/apache/ranger/rest/TestXUserREST.java > 2b25ba813 > > > Diff: https://reviews.apache.org/r/74189/diff/4/ > > > Testing > ------- > > > Thanks, > > Ramachandran Krishnan > >
