Merge pull request DependencyTrack#2584 from nscuro/issue-2583

nscuro · web-flow · commit e47c1d27f101 · 2023-03-11T21:07:47.000+01:00
Fix invalid query filter assembly
diff --git a/src/main/java/org/dependencytrack/persistence/ProjectQueryManager.java b/src/main/java/org/dependencytrack/persistence/ProjectQueryManager.java
@@ -849,7 +849,7 @@ private void preprocessACLs(final Query<Project> query, final String inputFilter
                         sb.append(" || ");
                     }
                 }
-                if (inputFilter != null) {
+                if (inputFilter != null && !inputFilter.isBlank()) {
                     query.setFilter(inputFilter + " && (" + sb.toString() + ")");
                 } else {
                     query.setFilter(sb.toString());
diff --git a/src/test/java/org/dependencytrack/resources/v1/ProjectResourceTest.java b/src/test/java/org/dependencytrack/resources/v1/ProjectResourceTest.java
@@ -23,6 +23,7 @@
 import alpine.server.filters.ApiFilter;
 import alpine.server.filters.AuthenticationFilter;
 import org.dependencytrack.ResourceTest;
+import org.dependencytrack.model.ConfigPropertyConstants;
 import org.dependencytrack.model.Project;
 import org.dependencytrack.model.Tag;
 import org.glassfish.jersey.client.HttpUrlConnectorProvider;
@@ -40,7 +41,6 @@
 import javax.ws.rs.client.Entity;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
-
 import java.util.ArrayList;
 import java.util.List;
 import java.util.UUID;
@@ -81,6 +81,38 @@ public void getProjectsDefaultRequestTest() {
         Assert.assertEquals("999", json.getJsonObject(0).getString("version"));
     }
 
+    @Test // https://github.com/DependencyTrack/dependency-track/issues/2583
+    public void getProjectsWithAclEnabledTest() {
+        // Enable portfolio access control.
+        qm.createConfigProperty(
+                ConfigPropertyConstants.ACCESS_MANAGEMENT_ACL_ENABLED.getGroupName(),
+                ConfigPropertyConstants.ACCESS_MANAGEMENT_ACL_ENABLED.getPropertyName(),
+                "true",
+                ConfigPropertyConstants.ACCESS_MANAGEMENT_ACL_ENABLED.getPropertyType(),
+                null
+        );
+
+        // Create project and give access to current principal's team.
+        final Project accessProject = qm.createProject("acme-app-a", null, "1.0.0", null, null, null, true, false);
+        accessProject.setAccessTeams(List.of(team));
+        qm.persist(accessProject);
+
+        // Create a second project that the current principal has no access to.
+        qm.createProject("acme-app-b", null, "2.0.0", null, null, null, true, false);
+
+        final Response response = target(V1_PROJECT)
+                .request()
+                .header(X_API_KEY, apiKey)
+                .get(Response.class);
+        Assert.assertEquals(200, response.getStatus(), 0);
+        Assert.assertEquals("1", response.getHeaderString(TOTAL_COUNT_HEADER));
+        JsonArray json = parseJsonArray(response);
+        Assert.assertNotNull(json);
+        Assert.assertEquals(1, json.size());
+        Assert.assertEquals("acme-app-a", json.getJsonObject(0).getString("name"));
+        Assert.assertEquals("1.0.0", json.getJsonObject(0).getString("version"));
+    }
+
     @Test
     public void getProjectsByNameRequestTest() {
         for (int i=0; i<1000; i++) {

Original file line number	Diff line number	Diff line change
`@@ -849,7 +849,7 @@ private void preprocessACLs(final Query<Project> query, final String inputFilter`
`849`	`849`	`sb.append(" \|\| ");`
`850`	`850`	`}`
`851`	`851`	`}`
`852`		`- if (inputFilter != null) {`
	`852`	`+ if (inputFilter != null && !inputFilter.isBlank()) {`
`853`	`853`	`query.setFilter(inputFilter + " && (" + sb.toString() + ")");`
`854`	`854`	`} else {`
`855`	`855`	`query.setFilter(sb.toString());`