fix: Split param validation [DHIS2-18784]

dhis2 · Jan 18, 2025 · b1c554f · b1c554f
1 parent 1bf8a00
commit b1c554f
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 20 deletions.
diff --git a/...rvice-tracker/src/main/java/org/hisp/dhis/tracker/acl/DefaultTrackerOwnershipManager.java b/...rvice-tracker/src/main/java/org/hisp/dhis/tracker/acl/DefaultTrackerOwnershipManager.java
@@ -152,22 +152,7 @@ public void transferOwnership(
   public void grantTemporaryOwnership(
       @Nonnull TrackedEntity trackedEntity, Program program, UserDetails user, String reason)
       throws ForbiddenException {
-    if (canSkipOwnershipCheck(user, program)) {
-      throw new ForbiddenException(
-          "Temporary ownership not created. Either current user is a superuser, program supplied does not exist or program supplied is not a tracker program.");
-    }
-
-    if (!program.isProtected()) {
-      throw new ForbiddenException(
-          String.format(
-              "Temporary ownership can only be granted to protected programs. %s access level is %s.",
-              program.getUid(), program.getAccessLevel().name()));
-    }
-
-    if (!isOwnerInUserSearchScope(user, trackedEntity, program)) {
-      throw new ForbiddenException(
-          "The owner of the entity-program combination is not in the user's search scope.");
-    }
+    validateGrantTemporaryOwnershipInputs(trackedEntity, program, user);
 
     if (config.isEnabled(CHANGELOG_TRACKER)) {
       programTempOwnershipAuditService.addProgramTempOwnershipAudit(
@@ -186,6 +171,35 @@ public void grantTemporaryOwnership(
         getTempOwnershipCacheKey(trackedEntity.getUid(), program.getUid(), user.getUid()));
   }
 
+  private void validateGrantTemporaryOwnershipInputs(
+      TrackedEntity trackedEntity, Program program, UserDetails user) throws ForbiddenException {
+    if (program == null) {
+      throw new ForbiddenException(
+          "Temporary ownership not created. Program supplied does not exist.");
+    }
+
+    if (user.isSuper()) {
+      throw new ForbiddenException("Temporary ownership not created. Current user is a superuser.");
+    }
+
+    if (ProgramType.WITHOUT_REGISTRATION == program.getProgramType()) {
+      throw new ForbiddenException(
+          "Temporary ownership not created. Program supplied is not a tracker program.");
+    }
+
+    if (!program.isProtected()) {
+      throw new ForbiddenException(
+          String.format(
+              "Temporary ownership can only be granted to protected programs. %s access level is %s.",
+              program.getUid(), program.getAccessLevel().name()));
+    }
+
+    if (!isOwnerInUserSearchScope(user, trackedEntity, program)) {
+      throw new ForbiddenException(
+          "The owner of the entity-program combination is not in the user's search scope.");
+    }
+  }
+
   @Override
   @Transactional(readOnly = true)
   public boolean hasAccess(UserDetails user, TrackedEntity trackedEntity, Program program) {

diff --git a/...st-integration/src/test/java/org/hisp/dhis/trackedentity/TrackerOwnershipManagerTest.java b/...st-integration/src/test/java/org/hisp/dhis/trackedentity/TrackerOwnershipManagerTest.java
@@ -382,8 +382,7 @@ void shouldFailWhenGrantingTemporaryAccessIfUserIsSuperuser() {
                     "test temporary ownership"));
 
     assertEquals(
-        "Temporary ownership not created. Either current user is a superuser, program supplied does not exist or program supplied is not a tracker program.",
-        exception.getMessage());
+        "Temporary ownership not created. Current user is a superuser.", exception.getMessage());
   }
 
   @Test
@@ -396,7 +395,7 @@ void shouldFailWhenGrantingTemporaryAccessIfProgramIsNull() {
                     trackedEntityA1, null, userDetailsB, "test temporary ownership"));
 
     assertEquals(
-        "Temporary ownership not created. Either current user is a superuser, program supplied does not exist or program supplied is not a tracker program.",
+        "Temporary ownership not created. Program supplied does not exist.",
         exception.getMessage());
   }
 
@@ -413,7 +412,7 @@ void shouldFailWhenGrantingTemporaryAccessIfProgramIsNotTrackerProgram() {
                     trackedEntityA1, eventProgram, userDetailsB, "test temporary ownership"));
 
     assertEquals(
-        "Temporary ownership not created. Either current user is a superuser, program supplied does not exist or program supplied is not a tracker program.",
+        "Temporary ownership not created. Program supplied is not a tracker program.",
         exception.getMessage());
   }