sergehuber commented on a change in pull request #131: Add the ability to
update event by item id
URL: https://github.com/apache/unomi/pull/131#discussion_r385716835
##########
File path: wab/src/main/java/org/apache/unomi/web/ServletCommon.java
##########
@@ -67,8 +67,12 @@ public static Changes handleEvents(List<Event> events,
Session session, Profile
if (events != null && !(profile instanceof Persona)) {
for (Event event : events) {
if (event.getEventType() != null) {
- Event eventToSend = new Event(event.getEventType(),
session, profile, event.getScope(), event.getSource(),
- event.getTarget(), event.getProperties(),
timestamp, event.isPersistent());
+ Event eventToSend;
+ if (event.getItemId() != null) {
+ eventToSend = new Event(event.getItemId(),
event.getEventType(), session, profile, event.getScope(), event.getSource(),
event.getTarget(), event.getProperties(), timestamp, event.isPersistent());
Review comment:
This is the most dangerous part of this modification, as it allows an itemId
to come from a REST request. This should be secured after the
eventService.isEventAllowed part and this last one should only be allowed if a
Unomi-Key is sent and only allowed from configured IP addresses. See the
relevant part in the documentation:
http://unomi.apache.org/manual/latest/index.html#_secured_events_configuration
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
