diff --git a/uberfire-structure/uberfire-structure-backend/src/test/java/org/guvnor/structure/backend/organizationalunit/OrganizationalUnitServiceTest.java b/uberfire-structure/uberfire-structure-backend/src/test/java/org/guvnor/structure/backend/organizationalunit/OrganizationalUnitServiceTest.java
index ad4f813252..845157b11a 100644
--- a/uberfire-structure/uberfire-structure-backend/src/test/java/org/guvnor/structure/backend/organizationalunit/OrganizationalUnitServiceTest.java
+++ b/uberfire-structure/uberfire-structure-backend/src/test/java/org/guvnor/structure/backend/organizationalunit/OrganizationalUnitServiceTest.java
@@ -25,6 +25,7 @@
import javax.enterprise.event.Event;
+import org.apache.commons.text.StringEscapeUtils;
import org.assertj.core.api.Assertions;
import org.assertj.core.api.Condition;
import org.guvnor.structure.backend.organizationalunit.config.SpaceConfigStorageRegistryImpl;
@@ -268,6 +269,77 @@ public void createValidOrganizationalUnitTest() {
assertEquals(SPACE_DESCRIPTION, ou.getDescription());
assertEquals(DEFAULT_GROUP_ID, ou.getDefaultGroupId());
assertEquals(contributors, ou.getContributors());
+ Assertions.assertThat(ou.getContributors()).hasSize(1);
+ Assertions.assertThat(ou.getContributors()).hasOnlyOneElementSatisfying((contributor) -> {
+ contributor.getUsername().equals(StringEscapeUtils.escapeHtml4(ADMIN));
+ });
+ }
+
+ @Test
+ public void createOrganizationalUnitWithPersistentXssInContributorTest() {
+ final String persistentXssContributor = "![]()
";
+ final String escapedPersistentXssContributor = StringEscapeUtils.escapeHtml4(persistentXssContributor);
+
+ List contributors = new ArrayList<>();
+ contributors.add(new Contributor(persistentXssContributor,
+ ContributorType.ADMIN));
+
+ setOUCreationPermission(true);
+
+ final OrganizationalUnit ou = organizationalUnitService.createOrganizationalUnit(SPACE_NAME,
+ DEFAULT_GROUP_ID,
+ new ArrayList<>(),
+ contributors,
+ SPACE_DESCRIPTION);
+
+ assertNotNull(ou);
+ verify(organizationalUnitFactory).newOrganizationalUnit(any());
+ assertEquals(SPACE_NAME, ou.getName());
+ assertEquals(SPACE_DESCRIPTION, ou.getDescription());
+ assertEquals(DEFAULT_GROUP_ID, ou.getDefaultGroupId());
+
+ Assertions.assertThat(ou.getContributors()).hasSize(1);
+ Assertions.assertThat(ou.getContributors()).hasOnlyOneElementSatisfying((contributor) -> {
+ contributor.getUsername().equals(escapedPersistentXssContributor);
+ });
+ }
+
+ @Test
+ public void createOrganizationalUnitWithPersistentXssAndValidContributorTest() {
+ final String persistentXssContributor = "![]()
";
+ final String escapedPersistentXssContributor = StringEscapeUtils.escapeHtml4(persistentXssContributor);
+ final String escapedAdminContributor = StringEscapeUtils.escapeHtml4(ADMIN);
+ final String regularContributor = "head_technician_junior-intern";
+
+ List contributors = new ArrayList<>();
+ contributors.add(new Contributor(persistentXssContributor,
+ ContributorType.CONTRIBUTOR));
+ contributors.add(new Contributor(ADMIN,
+ ContributorType.ADMIN));
+ contributors.add(new Contributor(regularContributor,
+ ContributorType.OWNER));
+
+ setOUCreationPermission(true);
+
+ final OrganizationalUnit ou = organizationalUnitService.createOrganizationalUnit(SPACE_NAME,
+ DEFAULT_GROUP_ID,
+ new ArrayList<>(),
+ contributors,
+ SPACE_DESCRIPTION);
+
+ assertNotNull(ou);
+ verify(organizationalUnitFactory).newOrganizationalUnit(any());
+ assertEquals(SPACE_NAME, ou.getName());
+ assertEquals(SPACE_DESCRIPTION, ou.getDescription());
+ assertEquals(DEFAULT_GROUP_ID, ou.getDefaultGroupId());
+
+ Assertions.assertThat(ou.getContributors()).hasSize(3);
+ Assertions.assertThat(ou.getContributors()).containsExactly(new Contributor(escapedPersistentXssContributor,
+ ContributorType.CONTRIBUTOR),
+ new Contributor(escapedAdminContributor,
+ ContributorType.ADMIN),
+ new Contributor(StringEscapeUtils.escapeHtml4(regularContributor),
+ ContributorType.OWNER));
}
@Test
@@ -326,6 +398,40 @@ public void testUpdateOrganizationalUnit() {
verify(spaceConfigStorage).endBatch();
}
+ @Test
+ public void testContributorsPersistentXssOnUpdateOrganizationalUnit() {
+ final String persistentXssContributor = "![]()
";
+ final String escapedPersistentXssContributor = StringEscapeUtils.escapeHtml4(persistentXssContributor);
+
+ OrganizationalUnit organizationalUnit =
+ organizationalUnitService.updateOrganizationalUnit(SPACE_NAME,
+ DEFAULT_GROUP_ID,
+ Collections.singletonList(
+ new Contributor(
+ persistentXssContributor,
+ ContributorType.ADMIN
+ )
+ )
+ );
+
+ Assertions.assertThat(organizationalUnit)
+ .hasFieldOrPropertyWithValue("name", SPACE_NAME)
+ .hasFieldOrPropertyWithValue("defaultGroupId", DEFAULT_GROUP_ID);
+
+ Assertions.assertThat(organizationalUnit.getContributors()).hasSize(1);
+ Assertions.assertThat(organizationalUnit.getContributors()).hasOnlyOneElementSatisfying((contributor) -> {
+ contributor.getUsername().equals(escapedPersistentXssContributor);
+ });
+
+ Assertions.assertThat(spaceInfo)
+ .hasFieldOrPropertyWithValue("name", SPACE_NAME)
+ .hasFieldOrPropertyWithValue("defaultGroupId", DEFAULT_GROUP_ID);
+
+ verify(spaceConfigStorage).startBatch();
+ verify(spaceConfigStorage).saveSpaceInfo(eq(spaceInfo));
+ verify(spaceConfigStorage).endBatch();
+ }
+
@Test
public void testCheckChildrenRepositoryContributors() {
OrganizationalUnit organizationalUnit = new OrganizationalUnitImpl(SPACE_NAME, DEFAULT_GROUP_ID);