CE-1955 Avoid type-based exceptions checking security key values

2025-07-18 05:01:07 +00:00 · 2024-11-19 08:37:36 -06:00
parent c09198eed5
commit b684f2409b
2 changed files with 46 additions and 7 deletions
--- a/qqq-backend-core/src/main/java/com/kingsrook/qqq/backend/core/model/session/QSession.java
+++ b/qqq-backend-core/src/main/java/com/kingsrook/qqq/backend/core/model/session/QSession.java
@ -48,7 +48,7 @@ public class QSession implements Serializable, Cloneable
   private QUser  user;
   private String uuid;

-   private Set<String>                     permissions;
+   private Set<String> permissions;

   private Map<String, List<Serializable>> securityKeyValues;
   private Map<String, Serializable>       backendVariants;
@ -360,12 +360,38 @@ public class QSession implements Serializable, Cloneable
         return (false);
      }

-      List<Serializable> values      = securityKeyValues.get(keyName);
-      Serializable       valueAsType = ValueUtils.getValueAsFieldType(fieldType, value);
+      List<Serializable> values = securityKeyValues.get(keyName);
+
+      Serializable valueAsType;
+      try
+      {
+         valueAsType = ValueUtils.getValueAsFieldType(fieldType, value);
+      }
+      catch(Exception e)
+      {
+         ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+         // an exception in getValueAsFieldType would indicate, e.g., a non-number string trying to come back as integer. //
+         // so - assume that any such mismatch means the value isn't in the session.                                      //
+         ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+         return (false);
+      }
+
      for(Serializable keyValue : values)
      {
-         Serializable keyValueAsType = ValueUtils.getValueAsFieldType(fieldType, keyValue);
-         if(keyValueAsType.equals(valueAsType))
+         Serializable keyValueAsType = null;
+         try
+         {
+            keyValueAsType = ValueUtils.getValueAsFieldType(fieldType, keyValue);
+         }
+         catch(Exception e)
+         {
+            ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+            // an exception in getValueAsFieldType would indicate, e.g., a non-number string trying to come back as integer. //
+            // so - assume that any such mismatch means this key isn't a match.
+            ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+         }
+
+         if(valueAsType.equals(keyValueAsType))
         {
            return (true);
         }
@ -561,6 +587,7 @@ public class QSession implements Serializable, Cloneable
   }


+
   /*******************************************************************************
    ** Getter for valuesForFrontend
    *******************************************************************************/
@ -591,6 +618,7 @@ public class QSession implements Serializable, Cloneable
   }


+
   /*******************************************************************************
    ** Fluent setter for a single valuesForFrontend
    *******************************************************************************/
@ -604,5 +632,4 @@ public class QSession implements Serializable, Cloneable
      return (this);
   }

-
 }
--- a/qqq-backend-core/src/test/java/com/kingsrook/qqq/backend/core/model/session/QSessionTest.java
+++ b/qqq-backend-core/src/test/java/com/kingsrook/qqq/backend/core/model/session/QSessionTest.java
@ -76,7 +76,7 @@ class QSessionTest extends BaseTest
   void testMixedValueTypes()
   {
      QSession session = new QSession().withSecurityKeyValues(Map.of(
-         "storeId", List.of("100", "200", 300)
+         "storeId", List.of("100", "200", 300, "four-hundred")
      ));

      for(int i : List.of(100, 200, 300))
@ -86,6 +86,18 @@ class QSessionTest extends BaseTest
         assertTrue(session.hasSecurityKeyValue("storeId", i, QFieldType.STRING), "Should contain: " + i);
         assertTrue(session.hasSecurityKeyValue("storeId", String.valueOf(i), QFieldType.STRING), "Should contain: " + i);
      }
+
+      ////////////////////////////////////////////////////////////////////////////
+      // next two blocks - used to throw exceptions - now, gracefully be false. //
+      ////////////////////////////////////////////////////////////////////////////
+      int i = 400;
+      assertFalse(session.hasSecurityKeyValue("storeId", i, QFieldType.INTEGER), "Should not contain: " + i);
+      assertFalse(session.hasSecurityKeyValue("storeId", String.valueOf(i), QFieldType.INTEGER), "Should not contain: " + i);
+      assertFalse(session.hasSecurityKeyValue("storeId", i, QFieldType.STRING), "Should not contain: " + i);
+      assertFalse(session.hasSecurityKeyValue("storeId", String.valueOf(i), QFieldType.STRING), "Should not contain: " + i);
+
+      assertFalse(session.hasSecurityKeyValue("storeId", "one-hundred", QFieldType.INTEGER), "Should not contain: " + i);
+      assertFalse(session.hasSecurityKeyValue("storeId", "one-hundred", QFieldType.STRING), "Should not contain: " + i);
   }