throw exception if non superuser changes the limit

stevenwinship · stevenwinship · commit c73691b863f2 · 2025-07-07T15:37:56.000-04:00
diff --git a/src/main/java/edu/harvard/iq/dataverse/api/Dataverses.java b/src/main/java/edu/harvard/iq/dataverse/api/Dataverses.java
@@ -135,13 +135,9 @@ public Response addRoot(@Context ContainerRequestContext crc, String body) {
     @Path("{identifier}")
     public Response addDataverse(@Context ContainerRequestContext crc, String body, @PathParam("identifier") String parentIdtf) {
         Dataverse newDataverse;
-        AuthenticatedUser u;
-        try {
-            u = getRequestAuthenticatedUserOrDie(crc);
-            newDataverse = parseAndValidateAddDataverseRequestBody(body, u.isSuperuser());
 
-        } catch (WrappedResponse ww) {
-            return handleWrappedResponse(ww);
+        try {
+            newDataverse = parseAndValidateAddDataverseRequestBody(body);
         } catch (JsonParsingException jpe) {
             return error(Status.BAD_REQUEST, MessageFormat.format(BundleUtil.getStringFromBundle("dataverse.create.error.jsonparse"), jpe.getMessage()));
         } catch (JsonParseException ex) {
@@ -158,9 +154,11 @@ public Response addDataverse(@Context ContainerRequestContext crc, String body,
                 newDataverse.setOwner(owner);
             }
 
+            AuthenticatedUser u = getRequestAuthenticatedUserOrDie(crc);
             newDataverse = execCommand(new CreateDataverseCommand(newDataverse, createDataverseRequest(u), facets, inputLevels, metadataBlocks));
             return created("/dataverses/" + newDataverse.getAlias(), json(newDataverse));
-
+        } catch (WrappedResponse ww) {
+            return handleWrappedResponse(ww);
         } catch (EJBException ex) {
             return handleEJBException(ex, "Error creating dataverse.");
         } catch (Exception ex) {
@@ -169,10 +167,10 @@ public Response addDataverse(@Context ContainerRequestContext crc, String body,
         }
     }
 
-    private Dataverse parseAndValidateAddDataverseRequestBody(String body, Boolean isSuperuser) throws JsonParsingException, JsonParseException {
+    private Dataverse parseAndValidateAddDataverseRequestBody(String body) throws JsonParsingException, JsonParseException {
         try {
             JsonObject addDataverseJson = JsonUtil.getJsonObject(body);
-            return jsonParser().parseDataverse(addDataverseJson, isSuperuser);
+            return jsonParser().parseDataverse(addDataverseJson);
         } catch (JsonParsingException jpe) {
             logger.log(Level.SEVERE, "Json: {0}", body);
             throw jpe;
@@ -187,17 +185,15 @@ private Dataverse parseAndValidateAddDataverseRequestBody(String body, Boolean i
     @Path("{identifier}")
     public Response updateDataverse(@Context ContainerRequestContext crc, String body, @PathParam("identifier") String identifier) {
         Dataverse dataverse;
-        AuthenticatedUser u;
         try {
-            u = getRequestAuthenticatedUserOrDie(crc);
             dataverse = findDataverseOrDie(identifier);
         } catch (WrappedResponse e) {
             return e.getResponse();
         }
 
         DataverseDTO updatedDataverseDTO;
         try {
-            updatedDataverseDTO = parseAndValidateUpdateDataverseRequestBody(body, u.isSuperuser());
+            updatedDataverseDTO = parseAndValidateUpdateDataverseRequestBody(body);
         } catch (JsonParsingException jpe) {
             return error(Status.BAD_REQUEST, MessageFormat.format(BundleUtil.getStringFromBundle("dataverse.create.error.jsonparse"), jpe.getMessage()));
         } catch (JsonParseException ex) {
@@ -209,6 +205,7 @@ public Response updateDataverse(@Context ContainerRequestContext crc, String bod
             List<MetadataBlock> metadataBlocks = parseMetadataBlocks(body);
             List<DatasetFieldType> facets = parseFacets(body);
 
+            AuthenticatedUser u = getRequestAuthenticatedUserOrDie(crc);
             dataverse = execCommand(new UpdateDataverseCommand(dataverse, facets, null, createDataverseRequest(u), inputLevels, metadataBlocks, updatedDataverseDTO));
             return ok(json(dataverse));
 
@@ -220,10 +217,10 @@ public Response updateDataverse(@Context ContainerRequestContext crc, String bod
         }
     }
 
-    private DataverseDTO parseAndValidateUpdateDataverseRequestBody(String body, Boolean isSuperuser) throws JsonParsingException, JsonParseException {
+    private DataverseDTO parseAndValidateUpdateDataverseRequestBody(String body) throws JsonParsingException, JsonParseException {
         try {
             JsonObject updateDataverseJson = JsonUtil.getJsonObject(body);
-            return jsonParser().parseDataverseDTO(updateDataverseJson, isSuperuser);
+            return jsonParser().parseDataverseDTO(updateDataverseJson);
         } catch (JsonParsingException jpe) {
             logger.log(Level.SEVERE, "Json: {0}", body);
             throw jpe;
diff --git a/src/main/java/edu/harvard/iq/dataverse/engine/command/impl/CreateDataverseCommand.java b/src/main/java/edu/harvard/iq/dataverse/engine/command/impl/CreateDataverseCommand.java
@@ -11,6 +11,7 @@
 import edu.harvard.iq.dataverse.engine.command.RequiredPermissions;
 import edu.harvard.iq.dataverse.engine.command.exception.IllegalCommandException;
 import edu.harvard.iq.dataverse.settings.SettingsServiceBean;
+import edu.harvard.iq.dataverse.util.BundleUtil;
 
 import java.sql.Timestamp;
 import java.util.ArrayList;
@@ -50,6 +51,9 @@ protected Dataverse innerExecute(CommandContext ctxt) throws IllegalCommandExcep
                 throw new IllegalCommandException("Root Dataverse already exists. Cannot create another one", this);
             }
         }
+        if (!getUser().isSuperuser() && dataverse.isDatasetFileCountLimitSet(dataverse.getDatasetFileCountLimit())) {
+            throw new IllegalCommandException(BundleUtil.getStringFromBundle("file.dataset.error.set.file.count.limit"), this);
+        }
 
         if (metadataBlocks != null && !metadataBlocks.isEmpty()) {
             dataverse.setMetadataBlockRoot(true);
diff --git a/src/main/java/edu/harvard/iq/dataverse/engine/command/impl/UpdateDataverseCommand.java b/src/main/java/edu/harvard/iq/dataverse/engine/command/impl/UpdateDataverseCommand.java
@@ -11,6 +11,7 @@
 import edu.harvard.iq.dataverse.engine.command.DataverseRequest;
 import edu.harvard.iq.dataverse.engine.command.RequiredPermissions;
 import edu.harvard.iq.dataverse.engine.command.exception.IllegalCommandException;
+import edu.harvard.iq.dataverse.util.BundleUtil;
 
 import java.util.ArrayList;
 import java.util.List;
@@ -66,6 +67,9 @@ protected Dataverse innerExecute(CommandContext ctxt) throws IllegalCommandExcep
                 }
             }
         }
+        if (!getUser().isSuperuser() && updatedDataverseDTO.getDatasetFileCountLimit() != dataverse.getDatasetFileCountLimit()) {
+            throw new IllegalCommandException(BundleUtil.getStringFromBundle("file.dataset.error.set.file.count.limit"), this);
+        }
 
         Dataverse oldDv = ctxt.dataverses().find(dataverse.getId());
 
diff --git a/src/main/java/edu/harvard/iq/dataverse/util/json/JsonParser.java b/src/main/java/edu/harvard/iq/dataverse/util/json/JsonParser.java
@@ -119,9 +119,6 @@ public void setLenient(boolean lenient) {
     }
 
     public Dataverse parseDataverse(JsonObject jobj) throws JsonParseException {
-        return parseDataverse(jobj, false);
-    }
-    public Dataverse parseDataverse(JsonObject jobj, boolean isSuperuser) throws JsonParseException {
         Dataverse dv = new Dataverse();
 
         /**
@@ -137,7 +134,7 @@ public Dataverse parseDataverse(JsonObject jobj, boolean isSuperuser) throws Jso
         dv.setPermissionRoot(jobj.getBoolean("permissionRoot", false));
         dv.setFacetRoot(jobj.getBoolean("facetRoot", false));
         dv.setAffiliation(jobj.getString("affiliation", null));
-        if (isSuperuser) {
+        if (jobj.containsKey("datasetFileCountLimit")) {
             dv.setDatasetFileCountLimit(jobj.getInt("datasetFileCountLimit", -1));
         }
 
@@ -206,9 +203,6 @@ public Dataverse parseDataverse(JsonObject jobj, boolean isSuperuser) throws Jso
     }
 
     public DataverseDTO parseDataverseDTO(JsonObject jsonObject) throws JsonParseException {
-        return parseDataverseDTO(jsonObject, false);
-    }
-    public DataverseDTO parseDataverseDTO(JsonObject jsonObject, Boolean isSuperuser) throws JsonParseException {
         DataverseDTO dataverseDTO = new DataverseDTO();
 
         setDataverseDTOPropertyIfPresent(jsonObject, "alias", dataverseDTO::setAlias);
@@ -236,7 +230,7 @@ public DataverseDTO parseDataverseDTO(JsonObject jsonObject, Boolean isSuperuser
             }
             dataverseDTO.setDataverseContacts(contacts);
         }
-        if (isSuperuser && jsonObject.containsKey("datasetFileCountLimit")) {
+        if (jsonObject.containsKey("datasetFileCountLimit")) {
             dataverseDTO.setDatasetFileCountLimit(Integer.valueOf(jsonObject.getInt("datasetFileCountLimit")));
         }
 
diff --git a/src/main/java/propertyFiles/Bundle.properties b/src/main/java/propertyFiles/Bundle.properties
@@ -2385,6 +2385,7 @@ file.message.replaceSuccess=The file has been replaced.
 
 # File Add/Replace operation messages
 file.add.count_exceeds_limit=Number of files can not exceed the maximum number of files allowed for this Dataset ({0}).
+file.dataset.error.set.file.count.limit=Only Superuser can set the Dataset File Count Limit.
 file.addreplace.file_size_ok=File size is in range.
 file.addreplace.error.byte_abrev=B
 file.addreplace.error.file_exceeds_limit=This file size ({0}) exceeds the size limit of {1}.
@@ -3222,4 +3223,4 @@ updateDatasetFieldsCommand.api.processDatasetUpdate.parseError=Error parsing dat
 abstractApiBean.error.datasetInternalVersionNumberIsOutdated=Dataset internal version number {0} is outdated
 
 #RoleAssigneeServiceBean.java
-roleAssigneeServiceBean.error.dataverseRequestCannotBeNull=DataverseRequest cannot be null.
+roleAssigneeServiceBean.error.dataverseRequestCannotBeNull=DataverseRequest cannot be null.
diff --git a/src/test/java/edu/harvard/iq/dataverse/api/FilesIT.java b/src/test/java/edu/harvard/iq/dataverse/api/FilesIT.java
@@ -3308,9 +3308,9 @@ public void testUploadFilesWithLimits() throws JsonParseException {
         // Test changing the limit by a non-superuser
         dv.setDatasetFileCountLimit(100);
         updateDataverseResponse = UtilIT.updateDataverse(dataverseAlias, dv, apiToken);
+        updateDataverseResponse.prettyPrint();
         updateDataverseResponse.then().assertThat()
-                .statusCode(OK.getStatusCode())
-                .body("data.effectiveDatasetFileCountLimit", equalTo(1))
-                .body("data.datasetFileCountLimit", equalTo(1));
+                .body("message", containsString(BundleUtil.getStringFromBundle("file.dataset.error.set.file.count.limit")))
+                .statusCode(INTERNAL_SERVER_ERROR.getStatusCode());
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -11,6 +11,7 @@`
`11`	`11`	`import edu.harvard.iq.dataverse.engine.command.DataverseRequest;`
`12`	`12`	`import edu.harvard.iq.dataverse.engine.command.RequiredPermissions;`
`13`	`13`	`import edu.harvard.iq.dataverse.engine.command.exception.IllegalCommandException;`
	`14`	`+import edu.harvard.iq.dataverse.util.BundleUtil;`
`14`	`15`
`15`	`16`	`import java.util.ArrayList;`
`16`	`17`	`import java.util.List;`
`@@ -66,6 +67,9 @@ protected Dataverse innerExecute(CommandContext ctxt) throws IllegalCommandExcep`
`66`	`67`	`}`
`67`	`68`	`}`
`68`	`69`	`}`
	`70`	`+ if (!getUser().isSuperuser() && updatedDataverseDTO.getDatasetFileCountLimit() != dataverse.getDatasetFileCountLimit()) {`
	`71`	`+ throw new IllegalCommandException(BundleUtil.getStringFromBundle("file.dataset.error.set.file.count.limit"), this);`
	`72`	`+ }`
`69`	`73`
`70`	`74`	`Dataverse oldDv = ctxt.dataverses().find(dataverse.getId());`
`71`	`75`
Original file line number	Diff line number	Diff line change
`@@ -119,9 +119,6 @@ public void setLenient(boolean lenient) {`
`119`	`119`	`}`
`120`	`120`
`121`	`121`	`public Dataverse parseDataverse(JsonObject jobj) throws JsonParseException {`
`122`		`- return parseDataverse(jobj, false);`
`123`		`- }`
`124`		`- public Dataverse parseDataverse(JsonObject jobj, boolean isSuperuser) throws JsonParseException {`
`125`	`122`	`Dataverse dv = new Dataverse();`
`126`	`123`
`127`	`124`	`/**`
`@@ -137,7 +134,7 @@ public Dataverse parseDataverse(JsonObject jobj, boolean isSuperuser) throws Jso`
`137`	`134`	`dv.setPermissionRoot(jobj.getBoolean("permissionRoot", false));`
`138`	`135`	`dv.setFacetRoot(jobj.getBoolean("facetRoot", false));`
`139`	`136`	`dv.setAffiliation(jobj.getString("affiliation", null));`
`140`		`- if (isSuperuser) {`
	`137`	`+ if (jobj.containsKey("datasetFileCountLimit")) {`
`141`	`138`	`dv.setDatasetFileCountLimit(jobj.getInt("datasetFileCountLimit", -1));`
`142`	`139`	`}`
`143`	`140`
`@@ -206,9 +203,6 @@ public Dataverse parseDataverse(JsonObject jobj, boolean isSuperuser) throws Jso`
`206`	`203`	`}`
`207`	`204`
`208`	`205`	`public DataverseDTO parseDataverseDTO(JsonObject jsonObject) throws JsonParseException {`
`209`		`- return parseDataverseDTO(jsonObject, false);`
`210`		`- }`
`211`		`- public DataverseDTO parseDataverseDTO(JsonObject jsonObject, Boolean isSuperuser) throws JsonParseException {`
`212`	`206`	`DataverseDTO dataverseDTO = new DataverseDTO();`
`213`	`207`
`214`	`208`	`setDataverseDTOPropertyIfPresent(jsonObject, "alias", dataverseDTO::setAlias);`
`@@ -236,7 +230,7 @@ public DataverseDTO parseDataverseDTO(JsonObject jsonObject, Boolean isSuperuser`
`236`	`230`	`}`
`237`	`231`	`dataverseDTO.setDataverseContacts(contacts);`
`238`	`232`	`}`
`239`		`- if (isSuperuser && jsonObject.containsKey("datasetFileCountLimit")) {`
	`233`	`+ if (jsonObject.containsKey("datasetFileCountLimit")) {`
`240`	`234`	`dataverseDTO.setDatasetFileCountLimit(Integer.valueOf(jsonObject.getInt("datasetFileCountLimit")));`
`241`	`235`	`}`
`242`	`236`
Original file line number	Diff line number	Diff line change
`@@ -3308,9 +3308,9 @@ public void testUploadFilesWithLimits() throws JsonParseException {`
`3308`	`3308`	`// Test changing the limit by a non-superuser`
`3309`	`3309`	`dv.setDatasetFileCountLimit(100);`
`3310`	`3310`	`updateDataverseResponse = UtilIT.updateDataverse(dataverseAlias, dv, apiToken);`
	`3311`	`+ updateDataverseResponse.prettyPrint();`
`3311`	`3312`	`updateDataverseResponse.then().assertThat()`
`3312`		`- .statusCode(OK.getStatusCode())`
`3313`		`- .body("data.effectiveDatasetFileCountLimit", equalTo(1))`
`3314`		`- .body("data.datasetFileCountLimit", equalTo(1));`
	`3313`	`+ .body("message", containsString(BundleUtil.getStringFromBundle("file.dataset.error.set.file.count.limit")))`
	`3314`	`+ .statusCode(INTERNAL_SERVER_ERROR.getStatusCode());`
`3315`	`3315`	`}`
`3316`	`3316`	`}`