Fix invalid query filter assembly

Fixes DependencyTrack#2583 Signed-off-by: nscuro <nscuro@protonmail.com>
sahibamittal · Mar 9, 2023 · ca74c26 · ca74c26
1 parent 9a5645a
commit ca74c26
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 2 deletions.
diff --git a/src/main/java/org/dependencytrack/persistence/ProjectQueryManager.java b/src/main/java/org/dependencytrack/persistence/ProjectQueryManager.java
@@ -849,7 +849,7 @@ private void preprocessACLs(final Query<Project> query, final String inputFilter
                         sb.append(" || ");
                     }
                 }
-                if (inputFilter != null) {
+                if (inputFilter != null && !inputFilter.isBlank()) {
                     query.setFilter(inputFilter + " && (" + sb.toString() + ")");
                 } else {
                     query.setFilter(sb.toString());

diff --git a/src/test/java/org/dependencytrack/resources/v1/ProjectResourceTest.java b/src/test/java/org/dependencytrack/resources/v1/ProjectResourceTest.java
@@ -23,6 +23,7 @@
 import alpine.server.filters.ApiFilter;
 import alpine.server.filters.AuthenticationFilter;
 import org.dependencytrack.ResourceTest;
+import org.dependencytrack.model.ConfigPropertyConstants;
 import org.dependencytrack.model.Project;
 import org.dependencytrack.model.Tag;
 import org.glassfish.jersey.client.HttpUrlConnectorProvider;
@@ -40,7 +41,6 @@
 import javax.ws.rs.client.Entity;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
-
 import java.util.ArrayList;
 import java.util.List;
 import java.util.UUID;
@@ -81,6 +81,38 @@ public void getProjectsDefaultRequestTest() {
         Assert.assertEquals("999", json.getJsonObject(0).getString("version"));
     }
 
+    @Test // https://github.com/DependencyTrack/dependency-track/issues/2583
+    public void getProjectsWithAclEnabledTest() {
+        // Enable portfolio access control.
+        qm.createConfigProperty(
+                ConfigPropertyConstants.ACCESS_MANAGEMENT_ACL_ENABLED.getGroupName(),
+                ConfigPropertyConstants.ACCESS_MANAGEMENT_ACL_ENABLED.getPropertyName(),
+                "true",
+                ConfigPropertyConstants.ACCESS_MANAGEMENT_ACL_ENABLED.getPropertyType(),
+                null
+        );
+
+        // Create project and give access to current principal's team.
+        final Project accessProject = qm.createProject("acme-app-a", null, "1.0.0", null, null, null, true, false);
+        accessProject.setAccessTeams(List.of(team));
+        qm.persist(accessProject);
+
+        // Create a second project that the current principal has no access to.
+        qm.createProject("acme-app-b", null, "2.0.0", null, null, null, true, false);
+
+        final Response response = target(V1_PROJECT)
+                .request()
+                .header(X_API_KEY, apiKey)
+                .get(Response.class);
+        Assert.assertEquals(200, response.getStatus(), 0);
+        Assert.assertEquals("1", response.getHeaderString(TOTAL_COUNT_HEADER));
+        JsonArray json = parseJsonArray(response);
+        Assert.assertNotNull(json);
+        Assert.assertEquals(1, json.size());
+        Assert.assertEquals("acme-app-a", json.getJsonObject(0).getString("name"));
+        Assert.assertEquals("1.0.0", json.getJsonObject(0).getString("version"));
+    }
+
     @Test
     public void getProjectsByNameRequestTest() {
         for (int i=0; i<1000; i++) {