fix(comment): declare missing @PathVariable params on block comment endpoints #489

Merged

marcel merged 1 commits from fix/issue-473-pathvariable-names into main 2026-05-09 15:46:09 +02:00

Conversation 7 Commits 1 Files Changed 2 +21 -1

marcel commented 2026-05-09 14:53:07 +02:00

Owner

Copy Link

Closes #473

Problem

Two endpoints in CommentController had path variables declared in the URL template that were not bound to method parameters:

• GET /api/documents/{documentId}/transcription-blocks/{blockId}/comments — documentId was in the URL but not declared as a @PathVariable, so Spring silently ignored it (any string was accepted)
• POST /api/documents/{documentId}/transcription-blocks/{blockId}/comments/{commentId}/replies — blockId was missing; only documentId and commentId were bound

Spring MVC silently ignores undeclared path variables — it extracts them but discards the segment without type-checking. This means a non-UUID documentId or blockId would not produce a 400, and SpringDoc would emit an OpenAPI spec with a dangling path parameter.

Fix

Added the missing @PathVariable UUID documentId to getBlockComments and @PathVariable UUID blockId to replyToBlockComment. No logic changes — the parameters were already being passed correctly to the service layer; they just weren't declared for the endpoints that were missing them.

Tests

Added two behavioral RED→GREEN tests in CommentControllerTest:

• getBlockComments_returns400_when_documentId_is_not_a_UUID — confirmed 200 before fix, 400 after
• replyToBlockComment_returns400_when_blockId_is_not_a_UUID — confirmed 201 before fix, 400 after

Closes #473 ## Problem Two endpoints in `CommentController` had path variables declared in the URL template that were not bound to method parameters: - `GET /api/documents/{documentId}/transcription-blocks/{blockId}/comments` — `documentId` was in the URL but not declared as a `@PathVariable`, so Spring silently ignored it (any string was accepted) - `POST /api/documents/{documentId}/transcription-blocks/{blockId}/comments/{commentId}/replies` — `blockId` was missing; only `documentId` and `commentId` were bound Spring MVC silently ignores undeclared path variables — it extracts them but discards the segment without type-checking. This means a non-UUID `documentId` or `blockId` would not produce a 400, and SpringDoc would emit an OpenAPI spec with a dangling path parameter. ## Fix Added the missing `@PathVariable UUID documentId` to `getBlockComments` and `@PathVariable UUID blockId` to `replyToBlockComment`. No logic changes — the parameters were already being passed correctly to the service layer; they just weren't declared for the endpoints that were missing them. ## Tests Added two behavioral RED→GREEN tests in `CommentControllerTest`: - `getBlockComments_returns400_when_documentId_is_not_a_UUID` — confirmed 200 before fix, 400 after - `replyToBlockComment_returns400_when_blockId_is_not_a_UUID` — confirmed 201 before fix, 400 after

marcel added 1 commit 2026-05-09 14:53:08 +02:00

fix(comment): declare missing @PathVariable params on block comment endpoints ... fb8062a6c2

getBlockComments was missing documentId; replyToBlockComment was missing
blockId. Spring silently ignored undeclared path variables — the segments
were parsed but never bound. Now both parameters are explicitly declared so
Spring rejects non-UUID values with 400.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

marcel commented 2026-05-09 14:54:35 +02:00

Author

Owner

Copy Link

👨‍💻 Felix Brandt — Senior Fullstack Developer

Verdict: ✅ Approved

TDD Evidence

Red/green discipline is solid. Both tests confirmed RED with the right failure messages (Status expected:<400> but was:<200> and Status expected:<400> but was:<201>) before the fix. That's exactly what you want — proof the test would have caught a real regression.

Code Quality

The fix is surgical and minimal — exactly what a bug fix should be. No logic changes, no refactoring, no feature creep.

One thing worth noting explicitly: documentId is now bound in getBlockComments but not forwarded to the service — the service only needs blockId to fetch block comments. This is intentional and correct. The parameter must be declared so Spring performs UUID type conversion (and rejects invalid values with 400), even if the value isn't used downstream. A future reader might question it — the PR description already explains this well, which is the right place for it.

Suggestions

None. This is a clean, focused fix with proper TDD evidence. Ship it.

## 👨‍💻 Felix Brandt — Senior Fullstack Developer **Verdict: ✅ Approved** ### TDD Evidence Red/green discipline is solid. Both tests confirmed RED with the right failure messages (`Status expected:<400> but was:<200>` and `Status expected:<400> but was:<201>`) before the fix. That's exactly what you want — proof the test would have caught a real regression. ### Code Quality The fix is surgical and minimal — exactly what a bug fix should be. No logic changes, no refactoring, no feature creep. One thing worth noting explicitly: `documentId` is now bound in `getBlockComments` but not forwarded to the service — the service only needs `blockId` to fetch block comments. This is intentional and correct. The parameter must be declared so Spring performs UUID type conversion (and rejects invalid values with 400), even if the value isn't used downstream. A future reader might question it — the PR description already explains this well, which is the right place for it. ### Suggestions None. This is a clean, focused fix with proper TDD evidence. Ship it.

marcel commented 2026-05-09 14:54:46 +02:00

Author

Owner

Copy Link

🔒 Nora "NullX" Steiner — Application Security Engineer

Verdict: ✅ Approved

What Was Fixed and Why It Matters

The root issue is CWE-20: Improper Input Validation. When a path variable appears in the URL template but isn't declared as a @PathVariable parameter, Spring MVC silently discards it — no type coercion, no validation. That means a caller could send any string in the documentId or blockId position and Spring would happily route the request to the handler.

In isolation this isn't a high-severity finding (no IDOR risk here since the service does its own lookup by blockId, and the endpoint is authenticated), but:

1. It breaks the OpenAPI spec — SpringDoc emits a dangling path parameter declaration
2. It weakens defence-in-depth — UUID validation is a cheap gate at the HTTP boundary
3. It's a correctness bug masquerading as a "just an annotation" issue

The fix correctly enforces UUID parsing at the Spring MVC dispatcher level. Non-UUID values now fail with 400 before the handler body executes.

Pre-existing Observation (not introduced by this PR)

getBlockComments has no @RequirePermission annotation — any authenticated user can read block comments for any block. postBlockComment requires ANNOTATE_ALL or WRITE_ALL. This asymmetry appears intentional (read = any authenticated user, write = privileged), but worth a quick confirmation that this is a deliberate product decision, not an overlooked annotation.

No New Concerns

Auth annotations on all write endpoints are correct. No unparameterised queries introduced. No logging of user-controlled input. LGTM.

## 🔒 Nora "NullX" Steiner — Application Security Engineer **Verdict: ✅ Approved** ### What Was Fixed and Why It Matters The root issue is **CWE-20: Improper Input Validation**. When a path variable appears in the URL template but isn't declared as a `@PathVariable` parameter, Spring MVC silently discards it — no type coercion, no validation. That means a caller could send any string in the `documentId` or `blockId` position and Spring would happily route the request to the handler. In isolation this isn't a high-severity finding (no IDOR risk here since the service does its own lookup by `blockId`, and the endpoint is authenticated), but: 1. It breaks the OpenAPI spec — SpringDoc emits a dangling path parameter declaration 2. It weakens defence-in-depth — UUID validation is a cheap gate at the HTTP boundary 3. It's a correctness bug masquerading as a "just an annotation" issue The fix correctly enforces UUID parsing at the Spring MVC dispatcher level. Non-UUID values now fail with 400 before the handler body executes. ### Pre-existing Observation (not introduced by this PR) `getBlockComments` has no `@RequirePermission` annotation — any authenticated user can read block comments for any block. `postBlockComment` requires `ANNOTATE_ALL` or `WRITE_ALL`. This asymmetry appears intentional (read = any authenticated user, write = privileged), but worth a quick confirmation that this is a deliberate product decision, not an overlooked annotation. ### No New Concerns Auth annotations on all write endpoints are correct. No unparameterised queries introduced. No logging of user-controlled input. LGTM.

marcel commented 2026-05-09 14:54:54 +02:00

Author

Owner

Copy Link

🏛️ Markus Keller — Application Architect

Verdict: ✅ Approved

Architecture Check

• Layer boundaries: Controller delegates to service, service is unchanged. No layer violations.
• Domain boundary: The fix stays entirely within document.comment. No cross-domain reach.
• Module ownership: CommentController owns its path variable declarations. The service's public API is untouched.
• Database/schema: No migrations, no schema changes.

Documentation Check

Per my review table: this PR contains no new Flyway migrations, no new packages or domain modules, no new routes, no new Docker services, no new ErrorCode or Permission values, and no new external integrations. No doc updates are required for a bug fix of this scope.

Nothing to Flag

Clean, contained fix. The approach of declaring path variables explicitly (even when the controller method doesn't use the value downstream) is the correct Spring MVC idiom — it's how SpringDoc generates accurate parameter specs and how the dispatcher enforces type coercion before the handler executes. No architectural concerns.

## 🏛️ Markus Keller — Application Architect **Verdict: ✅ Approved** ### Architecture Check - **Layer boundaries**: Controller delegates to service, service is unchanged. No layer violations. - **Domain boundary**: The fix stays entirely within `document.comment`. No cross-domain reach. - **Module ownership**: `CommentController` owns its path variable declarations. The service's public API is untouched. - **Database/schema**: No migrations, no schema changes. ### Documentation Check Per my review table: this PR contains no new Flyway migrations, no new packages or domain modules, no new routes, no new Docker services, no new ErrorCode or Permission values, and no new external integrations. No doc updates are required for a bug fix of this scope. ### Nothing to Flag Clean, contained fix. The approach of declaring path variables explicitly (even when the controller method doesn't use the value downstream) is the correct Spring MVC idiom — it's how SpringDoc generates accurate parameter specs and how the dispatcher enforces type coercion before the handler executes. No architectural concerns.

marcel commented 2026-05-09 14:55:02 +02:00

Author

Owner

Copy Link

🧪 Sara Holt — Senior QA Engineer

Verdict: ✅ Approved

Test Coverage Assessment

RED/GREEN evidence: Both tests confirmed RED before the fix:

• getBlockComments_returns400_when_documentId_is_not_a_UUID: was 200, expected 400 ✓
• replyToBlockComment_returns400_when_blockId_is_not_a_UUID: was 201, expected 400 ✓

Test naming: Descriptive and readable as sentences — passes my naming check.

Authority setup: @WithMockUser(authorities = "ANNOTATE_ALL") on the reply test is correct. Without it, the AOP permission check would return 403 before Spring even tries to bind the path variable, making the test meaningless for this specific behavior.

Test targeting: Each test targets precisely the missing parameter for its endpoint:

• getBlockComments was missing documentId → test sends non-UUID documentId ✓
• replyToBlockComment was missing blockId → test sends non-UUID blockId ✓

Test layer: @WebMvcTest slice is the right choice here — we're testing Spring MVC path variable binding behavior, which lives in the web layer. No database, no Testcontainers needed.

Minor Observation

The getBlockComments test uses a freshly generated blockId UUID that has no stub — commentService.getCommentsForBlock(blockId) would return null by default if Spring ever reached the handler. But since the test expects 400 (handler should never be reached), this is fine. The test would fail with a 200/NPE if the fix regressed, which is the desired behavior.

Full Suite

All 16 tests in CommentControllerTest pass. No regressions. LGTM.

## 🧪 Sara Holt — Senior QA Engineer **Verdict: ✅ Approved** ### Test Coverage Assessment **RED/GREEN evidence**: Both tests confirmed RED before the fix: - `getBlockComments_returns400_when_documentId_is_not_a_UUID`: was 200, expected 400 ✓ - `replyToBlockComment_returns400_when_blockId_is_not_a_UUID`: was 201, expected 400 ✓ **Test naming**: Descriptive and readable as sentences — passes my naming check. **Authority setup**: `@WithMockUser(authorities = "ANNOTATE_ALL")` on the reply test is correct. Without it, the AOP permission check would return 403 before Spring even tries to bind the path variable, making the test meaningless for this specific behavior. **Test targeting**: Each test targets precisely the missing parameter for its endpoint: - `getBlockComments` was missing `documentId` → test sends non-UUID `documentId` ✓ - `replyToBlockComment` was missing `blockId` → test sends non-UUID `blockId` ✓ **Test layer**: `@WebMvcTest` slice is the right choice here — we're testing Spring MVC path variable binding behavior, which lives in the web layer. No database, no Testcontainers needed. ### Minor Observation The `getBlockComments` test uses a freshly generated `blockId` UUID that has no stub — `commentService.getCommentsForBlock(blockId)` would return null by default if Spring ever reached the handler. But since the test expects 400 (handler should never be reached), this is fine. The test would fail with a 200/NPE if the fix regressed, which is the desired behavior. ### Full Suite All 16 tests in `CommentControllerTest` pass. No regressions. LGTM.

marcel commented 2026-05-09 14:55:06 +02:00

Author

Owner

Copy Link

⚙️ Tobias Wendt — DevOps & Platform Engineer

Verdict: ✅ Approved

No infrastructure, CI, Docker Compose, or deployment changes in this PR. Pure backend bug fix — two Java files changed.

The backend JAR builds and tests pass cleanly, which is all I need to confirm from a platform perspective. Nothing to flag.

## ⚙️ Tobias Wendt — DevOps & Platform Engineer **Verdict: ✅ Approved** No infrastructure, CI, Docker Compose, or deployment changes in this PR. Pure backend bug fix — two Java files changed. The backend JAR builds and tests pass cleanly, which is all I need to confirm from a platform perspective. Nothing to flag.

marcel commented 2026-05-09 14:55:11 +02:00

Author

Owner

Copy Link

📋 Elicit — Requirements Engineer

Verdict: ✅ Approved

Requirements Traceability

Issue #473 described a specific correctness gap: path variables declared in URL templates but not bound to handler parameters. The fix delivers exactly what was specified — no more, no less. There is no scope creep.

Acceptance criteria (implicit in the issue):

• ✅ GET /api/documents/{documentId}/transcription-blocks/{blockId}/comments rejects non-UUID documentId with 400
• ✅ POST /api/documents/{documentId}/transcription-blocks/{blockId}/comments/{commentId}/replies rejects non-UUID blockId with 400

Both are verified by the regression tests.

No NFR Concerns

This fix improves input validation (a security NFR) and OpenAPI spec correctness (a developer-experience NFR) with zero impact on performance, availability, or user-facing behavior for valid inputs. Existing callers passing valid UUIDs are unaffected.

## 📋 Elicit — Requirements Engineer **Verdict: ✅ Approved** ### Requirements Traceability Issue #473 described a specific correctness gap: path variables declared in URL templates but not bound to handler parameters. The fix delivers exactly what was specified — no more, no less. There is no scope creep. **Acceptance criteria** (implicit in the issue): - ✅ `GET /api/documents/{documentId}/transcription-blocks/{blockId}/comments` rejects non-UUID `documentId` with 400 - ✅ `POST /api/documents/{documentId}/transcription-blocks/{blockId}/comments/{commentId}/replies` rejects non-UUID `blockId` with 400 Both are verified by the regression tests. ### No NFR Concerns This fix improves input validation (a security NFR) and OpenAPI spec correctness (a developer-experience NFR) with zero impact on performance, availability, or user-facing behavior for valid inputs. Existing callers passing valid UUIDs are unaffected.

marcel commented 2026-05-09 14:55:15 +02:00

Author

Owner

Copy Link

🎨 Leonie Voss — UX Designer & Accessibility Strategist

Verdict: ✅ Approved

Backend-only fix — no Svelte components, no routes, no HTML, no CSS, no i18n strings. Nothing in this PR touches the UI layer.

The 400 error response for malformed UUIDs is handled by Spring's global exception handler, which maps to a structured error response. The frontend already handles API errors through getErrorMessage(). No UX impact to review.

## 🎨 Leonie Voss — UX Designer & Accessibility Strategist **Verdict: ✅ Approved** Backend-only fix — no Svelte components, no routes, no HTML, no CSS, no i18n strings. Nothing in this PR touches the UI layer. The 400 error response for malformed UUIDs is handled by Spring's global exception handler, which maps to a structured error response. The frontend already handles API errors through `getErrorMessage()`. No UX impact to review.

marcel merged commit 265b4f1484 into main 2026-05-09 15:46:09 +02:00

marcel deleted branch fix/issue-473-pathvariable-names 2026-05-09 15:46:11 +02:00

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

Clear labels

P0-critical

Blocks a core user journey, causes data loss, or is a security/accessibility barrier. Work on this before P1+.

P1-high

Significant friction on a main user journey; workaround exists but is non-obvious. Next up after P0.

P2-medium

Noticeable improvement; doesn't block anything; schedule opportunistically.

P3-later

Cosmetic or parking-lot work; fine to stay open indefinitely.

audit

Read-only audit / assessment work; produces a report rather than changing code

bug

Something isn't working

cleanup

Removal of dead code, vague comments, naming violations, and scratch artifacts

collaboration

We want to extend the family archive to have more collaboration tools

conversation

descoped

We will do that later

devops

documentation

README, ARCHITECTURE, GLOSSARY, CONTRIBUTING, per-domain docs

epic

Marker for epic-level issues that group multiple child issues

feature

file-upload

legibility

Codebase Legibility Refactor — preparing the codebase for human evaluation and bus-factor reduction

notification

person

phase-1: security

Security hygiene — must be done first

phase-2: container-images

Production-ready multi-stage Docker images

phase-3: prod-compose

Production compose overlay + Caddy reverse proxy

phase-4: spring-prod-profile

Spring Boot production configuration profile

phase-5: backups

Database and object storage backup strategy

phase-6: deployment-docs

.env.example, DEPLOYMENT.md, runbook

phase-7: monitoring

Prometheus, Loki, Grafana, Alertmanager

refactor

Code restructuring without behaviour change

security

test

ui

UI/UX and accessibility issues

user

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

Jens marcel

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: marcel/familienarchiv#489