From 325b90fb1bff2fb346cfb7b6189008547888f0e6 Mon Sep 17 00:00:00 2001
From: Viet Nguyen <viet@dhis2.org>
Date: Tue, 3 Dec 2024 05:04:05 -0600
Subject: [PATCH] fix: not apply identiable token filter to uid length < 4
 (#19333)

---
 .../dhis/query/operators/TokenOperator.java   |  7 ++
 .../hisp/dhis/query/TokenOperatorTest.java    | 14 ++++
 .../CrudControllerIntegrationTest.java        | 66 +++++++++++++++++++
 3 files changed, 87 insertions(+)
 create mode 100644 dhis-2/dhis-test-web-api/src/test/java/org/hisp/dhis/webapi/controller/CrudControllerIntegrationTest.java

diff --git a/dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/query/operators/TokenOperator.java b/dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/query/operators/TokenOperator.java
index e668eab20f1e..d153ccda5f7e 100644
--- a/dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/query/operators/TokenOperator.java
+++ b/dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/query/operators/TokenOperator.java
@@ -61,6 +61,9 @@ public Criterion getHibernateCriterion(QueryPath queryPath) {
   @Override
   public <Y> Predicate getPredicate(CriteriaBuilder builder, Root<Y> root, QueryPath queryPath) {
     String value = caseSensitive ? getValue(String.class) : getValue(String.class).toLowerCase();
+    if (skipUidToken(value, queryPath)) {
+      return null;
+    }
 
     return builder.equal(
         builder.function(
@@ -75,4 +78,8 @@ public <Y> Predicate getPredicate(CriteriaBuilder builder, Root<Y> root, QueryPa
   public boolean test(Object value) {
     return TokenUtils.test(value, getValue(String.class), caseSensitive, matchMode);
   }
+
+  private boolean skipUidToken(String value, QueryPath query) {
+    return "uid".equals(query.getProperty().getFieldName()) && value.length() < 4;
+  }
 }
diff --git a/dhis-2/dhis-services/dhis-service-core/src/test/java/org/hisp/dhis/query/TokenOperatorTest.java b/dhis-2/dhis-services/dhis-service-core/src/test/java/org/hisp/dhis/query/TokenOperatorTest.java
index d01901dfd3e1..9ba40b3223f6 100644
--- a/dhis-2/dhis-services/dhis-service-core/src/test/java/org/hisp/dhis/query/TokenOperatorTest.java
+++ b/dhis-2/dhis-services/dhis-service-core/src/test/java/org/hisp/dhis/query/TokenOperatorTest.java
@@ -28,11 +28,15 @@
 package org.hisp.dhis.query;
 
 import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertNull;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
 import org.hisp.dhis.query.operators.MatchMode;
 import org.hisp.dhis.query.operators.NotTokenOperator;
 import org.hisp.dhis.query.operators.TokenOperator;
+import org.hisp.dhis.query.planner.QueryPath;
+import org.hisp.dhis.schema.Property;
+import org.junit.jupiter.api.DisplayName;
 import org.junit.jupiter.api.Test;
 
 /**
@@ -43,6 +47,16 @@
  */
 class TokenOperatorTest {
 
+  @Test
+  @DisplayName("Uid Token filter must have at least 4 characters. Otherwise return null.")
+  void testUidLength() {
+    TokenOperator operator = new TokenOperator("ABC", false, MatchMode.ANYWHERE);
+    Property property = new Property();
+    property.setFieldName("uid");
+    QueryPath queryPath = new QueryPath(property, true);
+    assertNull(operator.getPredicate(null, null, queryPath));
+  }
+
   @Test
   void nullValue() {
     for (MatchMode mode : MatchMode.values()) {
diff --git a/dhis-2/dhis-test-web-api/src/test/java/org/hisp/dhis/webapi/controller/CrudControllerIntegrationTest.java b/dhis-2/dhis-test-web-api/src/test/java/org/hisp/dhis/webapi/controller/CrudControllerIntegrationTest.java
new file mode 100644
index 000000000000..93091bd31f0d
--- /dev/null
+++ b/dhis-2/dhis-test-web-api/src/test/java/org/hisp/dhis/webapi/controller/CrudControllerIntegrationTest.java
@@ -0,0 +1,66 @@
+/*
+ * Copyright (c) 2004-2023, University of Oslo
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * Redistributions of source code must retain the above copyright notice, this
+ * list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * Neither the name of the HISP project nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+package org.hisp.dhis.webapi.controller;
+
+import static org.hisp.dhis.web.WebClientUtils.assertStatus;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+import lombok.extern.slf4j.Slf4j;
+import org.hisp.dhis.jsontree.JsonResponse;
+import org.hisp.dhis.web.HttpStatus;
+import org.hisp.dhis.webapi.DhisControllerIntegrationTest;
+import org.junit.jupiter.api.DisplayName;
+import org.junit.jupiter.api.Test;
+
+@Slf4j
+class CrudControllerIntegrationTest extends DhisControllerIntegrationTest {
+
+  @Test
+  @DisplayName("Should not apply token filter for UID if value has length < 4")
+  void testIdentifiableTokenFilterLength() {
+    assertStatus(
+        HttpStatus.CREATED,
+        POST(
+            "/organisationUnits/",
+            "{'name':'My Unit 1', 'shortName':'OU1', 'openingDate': '2020-01-01'}"));
+    String ou2 =
+        assertStatus(
+            HttpStatus.CREATED,
+            POST(
+                "/organisationUnits/",
+                "{'name':'My Unit 2', 'shortName':'OU2', 'openingDate': '2020-01-01'}"));
+
+    JsonResponse response =
+        GET("/organisationUnits?filter=identifiable:token:" + ou2.substring(0, 3)).content();
+    assertEquals(0, response.getArray("organisationUnits").size());
+
+    response = GET("/organisationUnits?filter=identifiable:token:" + ou2.substring(0, 4)).content();
+    assertEquals(1, response.getArray("organisationUnits").size());
+    assertEquals(ou2, response.getArray("organisationUnits").getObject(0).getString("id").string());
+  }
+}