From b4833cc360eb5f67e4f4861e058f34a153ba57ab Mon Sep 17 00:00:00 2001 From: Lukas Krause Date: Mon, 14 Oct 2024 16:20:55 +0200 Subject: [PATCH] Always use backend response for requests to `source/:project_name` Right now we use the presence of the `?deleted=0` query parameter as a workaround to force the request being passed directly to the backend and returning results based on backend data over returning results based on frontend database entries. This workaround currently leads to inconsistant results being returned by the API. Instead of using this workaround we better should always let the backend handle the request (where possible) and return the data based on it's info. Fixes #16911 --- .../controllers/source_project_controller.rb | 58 +++++++++---------- 1 file changed, 29 insertions(+), 29 deletions(-) diff --git a/src/api/app/controllers/source_project_controller.rb b/src/api/app/controllers/source_project_controller.rb index 5eed128a291a..42c95e766242 100644 --- a/src/api/app/controllers/source_project_controller.rb +++ b/src/api/app/controllers/source_project_controller.rb @@ -4,11 +4,12 @@ class SourceProjectController < SourceController # GET /source/:project def show project_name = params[:project] - if params.key?(:deleted) - unless Project.find_by_name(project_name) || Project.is_remote_project?(project_name) - # project is deleted or not accessible - validate_visibility_of_deleted_project(project_name) - end + + if params[:deleted] == '1' && !(Project.find_by_name(project_name) || Project.is_remote_project?(project_name)) + # project is deleted or not accessible + validate_visibility_of_deleted_project(project_name) + # We have to pass it to the backend at this point, because the rest + # of the method expects an existing project pass_to_backend return end @@ -19,31 +20,35 @@ def show return end + # This implicitly also checks if the user can access the project (for hidden projects). + # We have to make sure to initialize the project already at this + # point, even we dont need the object in most cases because of that fact. + # TODO: Don't implicitly use the finder logic to authorize! @project = Project.find_by_name(project_name) raise Project::UnknownObjectError, "Project not found: #{project_name}" unless @project - # we let the backend list the packages after we verified the project is visible - if params.key?(:view) - case params[:view] - when 'verboseproductlist' - @products = Product.all_products(@project, params[:expand]) - render 'source/verboseproductlist', formats: [:xml] - return - when 'productlist' - @products = Product.all_products(@project, params[:expand]) - render 'source/productlist', formats: [:xml] - return - when 'issues' - render_project_issues - when 'info' - pass_to_backend - else - raise InvalidParameterError, "'#{params[:view]}' is not a valid 'view' parameter value." - end + unless params.key?(:view) + pass_to_backend return end - render_project_packages + raise InvalidParameterError, "'#{params[:view]}' is not a valid 'view' parameter value." unless params[:view].in?(%w[verboseproductlist productlist issues info]) + + # we let the backend list the packages after we verified the project is visible + case params[:view] + when 'verboseproductlist' + @products = Product.all_products(@project, params[:expand]) + render 'source/verboseproductlist', formats: [:xml] + return + when 'productlist' + @products = Product.all_products(@project, params[:expand]) + render 'source/productlist', formats: [:xml] + return + when 'issues' + render_project_issues + when 'info' + pass_to_backend + end end def render_project_issues @@ -51,11 +56,6 @@ def render_project_issues render partial: 'source/project_issues', formats: [:xml] end - def render_project_packages - @packages = params.key?(:expand) ? @project.expand_all_packages : @project.packages.pluck(:name) - render locals: { expand: params.key?(:expand) }, formats: [:xml] - end - # DELETE /source/:project def delete project = Project.get_by_name(params[:project])