Abhishek Chaudhary created FINERACT-2673:
--------------------------------------------

             Summary: GET /audits/{auditId} returns HTTP 500 instead of 404 
when the audit entry does not exist
                 Key: FINERACT-2673
                 URL: https://issues.apache.org/jira/browse/FINERACT-2673
             Project: Apache Fineract
          Issue Type: Bug
          Components: System
    Affects Versions: 1.14.0
            Reporter: Abhishek Chaudhary


*Observed behavior*

{noformat}
GET /fineract-provider/api/v1/audits/{auditId}
{noformat}

with a nonexistent {{auditId}} returns HTTP 500 with an unhandled 
{{EmptyResultDataAccessException}}. The same happens for an audit entry that 
exists but is outside the caller's office hierarchy, because the lookup SQL is 
hierarchy-scoped.

*Root cause*

{{AuditReadPlatformServiceImpl.retrieveAuditEntry()}} executes 
{{jdbcTemplate.queryForObject("... where aud.id = ?")}} with no empty-result 
handling.

{{JdbcTemplate.queryForObject()}} throws {{EmptyResultDataAccessException}} 
when no rows match. Since there is no exception mapper for it, the exception 
falls through {{DefaultExceptionMapper}} and is returned as HTTP 500. This is 
the same defect class as FINERACT-2671.

*Expected behavior*

HTTP 404 with the standard platform error payload by catching 
{{EmptyResultDataAccessException}} and throwing a domain-specific not-found 
exception extending {{AbstractPlatformResourceNotFoundException}}.

The hierarchy-scoped case should also return HTTP 404 (rather than HTTP 403) so 
the API does not disclose whether an audit ID exists outside the caller's 
office hierarchy.

*Steps to reproduce*

# Call:

{noformat}
GET /fineract-provider/api/v1/audits/999999
{noformat}

Current: HTTP 500

Expected: HTTP 404

*Proposed fix*

* Introduce {{AuditEntryNotFoundException}} extending 
{{AbstractPlatformResourceNotFoundException}}.
* Catch {{EmptyResultDataAccessException}} in 
{{AuditReadPlatformServiceImpl.retrieveAuditEntry()}} and rethrow 
{{AuditEntryNotFoundException}}.
* Add integration tests covering:
** Non-existent audit ID → HTTP 404.
** Audit entry outside the caller's office hierarchy → HTTP 404.

I found this while reviewing read-platform services for the FINERACT-2671 
defect class and would like to work on it. Please assign it to me.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to