From b2e0384f8aa95822b916347181c82ef56deffa0b Mon Sep 17 00:00:00 2001
From: Adria Navarro <adria@budibase.com>
Date: Tue, 25 Jul 2023 19:46:46 +0200
Subject: [PATCH] Check ui path vs body

---
 .../server/src/api/controllers/view/viewsV2.ts    |  4 ++++
 .../server/src/api/routes/tests/viewV2.spec.ts    | 15 +++++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/packages/server/src/api/controllers/view/viewsV2.ts b/packages/server/src/api/controllers/view/viewsV2.ts
index 85b6bd2486..9a4949bb43 100644
--- a/packages/server/src/api/controllers/view/viewsV2.ts
+++ b/packages/server/src/api/controllers/view/viewsV2.ts
@@ -24,6 +24,10 @@ export async function update(ctx: Ctx<UpdateViewRequest, ViewResponse>) {
     ctx.throw(400, "Only views V2 can be updated")
   }
 
+  if (ctx.params.viewId !== view.id) {
+    ctx.throw(400, "View id does not match between the body and the uri path")
+  }
+
   const { tableId } = view
 
   const result = await sdk.views.update(tableId, view)
diff --git a/packages/server/src/api/routes/tests/viewV2.spec.ts b/packages/server/src/api/routes/tests/viewV2.spec.ts
index 59fadbc37d..e728af3e40 100644
--- a/packages/server/src/api/routes/tests/viewV2.spec.ts
+++ b/packages/server/src/api/routes/tests/viewV2.spec.ts
@@ -187,6 +187,21 @@ describe("/v2/views", () => {
         }
       )
     })
+
+    it("cannot update the a view with unmatching ids between url and body", async () => {
+      const anotherView = await config.api.viewV2.create()
+      const result = await config
+        .request!.put(`/api/v2/views/${anotherView.id}`)
+        .send(view)
+        .set(config.defaultHeaders())
+        .expect("Content-Type", /json/)
+        .expect(400)
+
+      expect(result.body).toEqual({
+        message: "View id does not match between the body and the uri path",
+        status: 400,
+      })
+    })
   })
 
   describe("delete", () => {