From 6a11464d607575150a376166a0e99a71231fa31f Mon Sep 17 00:00:00 2001 From: Jason Rasmussen Date: Tue, 2 Jul 2024 15:56:05 -0400 Subject: [PATCH] fix(server): do not allow merging a person into themselves (#10776) --- e2e/src/api/specs/person.e2e-spec.ts | 17 +++++++++++++++++ server/src/services/person.service.ts | 4 ++++ 2 files changed, 21 insertions(+) diff --git a/e2e/src/api/specs/person.e2e-spec.ts b/e2e/src/api/specs/person.e2e-spec.ts index 963b4cf7bc..39f531d513 100644 --- a/e2e/src/api/specs/person.e2e-spec.ts +++ b/e2e/src/api/specs/person.e2e-spec.ts @@ -230,4 +230,21 @@ describe('/people', () => { expect(body).toMatchObject({ birthDate: null }); }); }); + + describe('POST /people/:id/merge', () => { + it('should require authentication', async () => { + const { status, body } = await request(app).post(`/people/${uuidDto.notFound}/merge`); + expect(status).toBe(401); + expect(body).toEqual(errorDto.unauthorized); + }); + + it('should not supporting merging a person into themselves', async () => { + const { status, body } = await request(app) + .post(`/people/${visiblePerson.id}/merge`) + .set('Authorization', `Bearer ${admin.accessToken}`) + .send({ ids: [visiblePerson.id] }); + expect(status).toBe(400); + expect(body).toEqual(errorDto.badRequest('Cannot merge a person into themselves')); + }); + }); }); diff --git a/server/src/services/person.service.ts b/server/src/services/person.service.ts index 05034dc6f9..96982b10ad 100644 --- a/server/src/services/person.service.ts +++ b/server/src/services/person.service.ts @@ -551,6 +551,10 @@ export class PersonService { async mergePerson(auth: AuthDto, id: string, dto: MergePersonDto): Promise { const mergeIds = dto.ids; + if (mergeIds.includes(id)) { + throw new BadRequestException('Cannot merge a person into themselves'); + } + await this.access.requirePermission(auth, Permission.PERSON_WRITE, id); let primaryPerson = await this.findOrFail(id); const primaryName = primaryPerson.name || primaryPerson.id;