marcel/familienarchiv
1
0
Fork 0
Code Issues 121 Pull Requests 2 Actions Packages Projects Releases Wiki Activity

refactor(document): rename getSummaryById to findSummaryByIdInternal to signal scope-check bypass
All checks were successful
CI / Unit & Component Tests (pull_request) Successful in 3m20s
Details
CI / OCR Service Tests (pull_request) Successful in 24s
Details
CI / Backend Unit Tests (pull_request) Successful in 3m52s
Details
CI / fail2ban Regex (pull_request) Successful in 47s
Details
CI / Semgrep Security Scan (pull_request) Successful in 22s
Details
CI / Compose Bucket Idempotency (pull_request) Successful in 1m9s
Details

Browse Source 
The method intentionally skips permission checks and tag-colour resolution.
Renaming it to findSummaryByIdInternal makes the internal-only contract
visible at every call site, closing the latent CWE-284 risk flagged in
the PR review.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Marcel
2026-06-08 21:13:35 +02:00
parent f09c79744e
commit 99111273e5
3 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
backend/src/main/java/org/raddatz/familienarchiv/document/DocumentService.java
View File

@@ -1012,7 +1012,7 @@ public class DocumentService {
* under the current single-tenant model where all authenticated users share * under the current single-tenant model where all authenticated users share
* the same document scope. Called within a caller-provided transaction. * the same document scope. Called within a caller-provided transaction.
*/ */
public Document getSummaryById(UUID id) { public Document findSummaryByIdInternal(UUID id) {
return documentRepository.findById(id) return documentRepository.findById(id)
.orElseThrow(() -> DomainException.notFound(ErrorCode.DOCUMENT_NOT_FOUND, "Document not found: " + id)); .orElseThrow(() -> DomainException.notFound(ErrorCode.DOCUMENT_NOT_FOUND, "Document not found: " + id));
} }

2
backend/src/main/java/org/raddatz/familienarchiv/geschichte/journeyitem/JourneyItemService.java
View File

@@ -70,7 +70,7 @@ public class JourneyItemService {
Document doc = null; Document doc = null;
if (dto.getDocumentId() != null) { if (dto.getDocumentId() != null) {
doc = documentService.getSummaryById(dto.getDocumentId()); doc = documentService.findSummaryByIdInternal(dto.getDocumentId());
} }
int nextPosition = journeyItemRepository.findMaxPositionByGeschichteId(geschichteId) int nextPosition = journeyItemRepository.findMaxPositionByGeschichteId(geschichteId)

2
backend/src/test/java/org/raddatz/familienarchiv/geschichte/journeyitem/JourneyItemServiceTest.java
View File

@@ -240,7 +240,7 @@ class JourneyItemServiceTest {
Geschichte journey = journey(geschichteId); Geschichte journey = journey(geschichteId);
when(geschichteQueryService.findById(geschichteId)).thenReturn(Optional.of(journey)); when(geschichteQueryService.findById(geschichteId)).thenReturn(Optional.of(journey));
when(journeyItemRepository.countByGeschichteId(geschichteId)).thenReturn(0L); when(journeyItemRepository.countByGeschichteId(geschichteId)).thenReturn(0L);
when(documentService.getSummaryById(docId)) when(documentService.findSummaryByIdInternal(docId))
.thenThrow(DomainException.notFound(ErrorCode.DOCUMENT_NOT_FOUND, "not found")); .thenThrow(DomainException.notFound(ErrorCode.DOCUMENT_NOT_FOUND, "not found"));
JourneyItemCreateDTO dto = new JourneyItemCreateDTO(); JourneyItemCreateDTO dto = new JourneyItemCreateDTO();