[NXP-18030] Don't allow batch upload with a client-side generated id - Nuxeo Issue Tracker

XML

Word

Printable

Details

Type: Task
Status: Resolved
Priority: Minor
Resolution: Fixed
Affects Version/s: 7.4
Fix Version/s: 7.10
Component/s: File Upload , Rest API

Tags:
- nxDrive
Impact type:

API change
Upgrade notes:

Hide

Deprecated BatchManager#initBatch(String batchId, String contextName);

Show
Deprecated BatchManager#initBatch(String batchId, String contextName);
Sprint:
drive-7.10-1, drive-7.10-2
Story Points:
2

Description

The new upload API implemented by BatchUploadObject doesn't allow such thing.
Whatever request is done using the /api/v1/upload endpoint the batchId is part of the resource itself, ex:

    @POST
    @Path("{batchId}/{fileIdx}")
    public Response upload(@Context HttpServletRequest request, @PathParam(REQUEST_BATCH_ID) String batchId, @PathParam(REQUEST_FILE_IDX) String fileIdx) throws IOException

A 404 status code is returned if the batch matching the given id doesn't exist.

Yet the old API, deprecated but maintained for backward compatibility, does allow such a client-side generated id passed as a request header, see BatchResource:

    @Deprecated
    @POST
    @Path("/upload")
    public Object doPost(@Context HttpServletRequest request) throws IOException {
        ...
        String batchId = request.getHeader("X-Batch-Id");
        ...
    }

This is how the old API now behaves:

If no batch id is provided, initialize a batch with a server-side generated id by calling BatchManager#init().
If a batch id is provided:

If an existing batch matches this id use it. This is possible by making a first call to the new API: /api/v1/upload but in this case why not use the new API through the whole upload process?
If no batch matches this id:
- If the allowClientGeneratedBatchId configuration property is false, return an HTTP 500 error with the following message "Cannot upload a file with a client-side generated batch id, please use new upload API or set configuration property allowClientGeneratedBatchId to true (not recommended)".
- If the allowClientGeneratedBatchId configuration property is set to true, a batch will be initialized internally with this id by the BatchManager. With a warning in the logs: "Allowing to initialize upload batch with a client-side generated id since configuration property allowClientGeneratedBatchId is set to true but this is not recommended, please use new upload API instead".

The allowClientGeneratedBatchId configuration property is not set by default (thus false) for the LTS 2015 to enforce security.

This has consequences on the Nuxeo client code using the old batch upload API with a client-side generated id:

Drag and Drop, see ~~NXP-18031~~
JS client and nuxeo-elements, see ~~NXJS-29~~
CAP and Drive Scala bench + Drive Funkload bench, see ~~NXP-18033~~
Nuxeo Drive, see ~~NXDRIVE-433~~

Important note about Nuxeo Drive: starting from 7.10, the minimum compatible version of Nuxeo Drive will be the next released version, meaning the one following 2.0.911.
This version will include ~~NXDRIVE-433~~.

Attachments

Issue Links

depends on

NXP-16953 Polish upload API

Resolved

is required by

NXDRIVE-433 Use new upload API

Resolved

NXP-18031 Align Drag and Drop on new batch upload API

Resolved

NXP-18033 Align CAP and Drive Scala bench on new batch upload API

Resolved

NXJS-29 Align on new batch upload API

Resolved

Activity

People

Assignee:

Antoine Taillefer

Reporter:

Antoine Taillefer

Participants:

Antoine Taillefer, Jenkins, Thibaud Arguillere

Votes:

0 Vote for this issue

Watchers:

3 Start watching this issue

Dates

Created:

2015-09-30 08:35

Updated:

2016-02-11 22:53

Resolved:

2015-10-22 13:57