Add policy checks to prevent manual update of any hosted file URL

rhigman · rhigman · commit 7c3c40989e0a · 2026-04-20T15:43:45.000+01:00
diff --git a/thoth-api/src/model/additional_resource/policy.rs b/thoth-api/src/model/additional_resource/policy.rs
@@ -1,14 +1,18 @@
 use crate::model::additional_resource::{
     AdditionalResource, NewAdditionalResource, PatchAdditionalResource,
 };
+use crate::model::file::File;
 use crate::model::work::{Work, WorkType};
 use crate::model::Crud;
 use crate::policy::{CreatePolicy, DeletePolicy, MovePolicy, PolicyContext, UpdatePolicy};
 use thoth_errors::{ThothError, ThothResult};
 
 /// Write policies for `AdditionalResource`.
 ///
-/// These policies enforce publisher scoping and prevent attachment to chapter records.
+/// These policies are responsible for:
+/// - enforcing publisher scoping
+/// - preventing attachment to chapter records
+/// - preventing manual update of auto-generated Thoth Hosting URLs
 pub struct AdditionalResourcePolicy;
 
 fn ensure_work_is_book(db: &crate::db::PgPool, work_id: uuid::Uuid) -> ThothResult<()> {
@@ -20,6 +24,18 @@ fn ensure_work_is_book(db: &crate::db::PgPool, work_id: uuid::Uuid) -> ThothResu
     }
 }
 
+fn ensure_no_hosted_file(
+    db: &crate::db::PgPool,
+    additional_resource_id: uuid::Uuid,
+) -> ThothResult<()> {
+    let file = File::from_additional_resource_id(db, &additional_resource_id)?;
+    if file.is_some() {
+        Err(ThothError::HostedFileUrlEditError)
+    } else {
+        Ok(())
+    }
+}
+
 impl CreatePolicy<NewAdditionalResource> for AdditionalResourcePolicy {
     fn can_create<C: PolicyContext>(
         ctx: &C,
@@ -41,7 +57,12 @@ impl UpdatePolicy<AdditionalResource, PatchAdditionalResource> for AdditionalRes
         ctx.require_publisher_for(current)?;
         ctx.require_publisher_for(patch)?;
         ensure_work_is_book(ctx.db(), current.work_id)?;
-        ensure_work_is_book(ctx.db(), patch.work_id)
+        ensure_work_is_book(ctx.db(), patch.work_id)?;
+
+        if patch.url != current.url {
+            ensure_no_hosted_file(ctx.db(), current.additional_resource_id)?;
+        }
+        Ok(())
     }
 }
 
diff --git a/thoth-api/src/model/publication/policy.rs b/thoth-api/src/model/publication/policy.rs
@@ -1,4 +1,5 @@
 use crate::model::{
+    file::{File, FileType},
     publication::{NewPublication, PatchPublication, Publication, PublicationProperties},
     work::{Work, WorkProperties},
     Crud,
@@ -11,8 +12,18 @@ use thoth_errors::{ThothError, ThothResult};
 /// These policies are responsible for:
 /// - requiring authentication
 /// - requiring publisher membership (tenant boundary)
+/// - preventing manual update of auto-generated Thoth Hosting URLs
 pub struct PublicationPolicy;
 
+fn ensure_no_hosted_file(db: &crate::db::PgPool, publication_id: uuid::Uuid) -> ThothResult<()> {
+    let file = File::from_publication_id(db, &publication_id, FileType::A11yReport)?;
+    if file.is_some() {
+        Err(ThothError::HostedFileUrlEditError)
+    } else {
+        Ok(())
+    }
+}
+
 impl CreatePolicy<NewPublication> for PublicationPolicy {
     fn can_create<C: PolicyContext>(
         ctx: &C,
@@ -34,6 +45,10 @@ impl UpdatePolicy<Publication, PatchPublication> for PublicationPolicy {
         ctx.require_publisher_for(current)?;
         ctx.require_publisher_for(patch)?;
 
+        if patch.accessibility_report_url != current.accessibility_report_url {
+            ensure_no_hosted_file(ctx.db(), current.publication_id)?;
+        }
+
         patch.validate(ctx.db())
     }
 }
diff --git a/thoth-api/src/model/work/policy.rs b/thoth-api/src/model/work/policy.rs
@@ -1,3 +1,4 @@
+use crate::model::file::File;
 use crate::model::work::{NewWork, PatchWork, Work, WorkProperties, WorkType};
 use crate::policy::{CreatePolicy, DeletePolicy, PolicyContext, UpdatePolicy, UserAccess};
 use thoth_errors::{ThothError, ThothResult};
@@ -7,8 +8,18 @@ use thoth_errors::{ThothError, ThothResult};
 /// This policy layer enforces:
 /// - authentication
 /// - publisher membership derived from the entity / input via `PublisherId`
+/// - preventing manual update of auto-generated Thoth Hosting URLs
 pub struct WorkPolicy;
 
+fn ensure_no_hosted_file(db: &crate::db::PgPool, work_id: uuid::Uuid) -> ThothResult<()> {
+    let file = File::from_work_id(db, &work_id)?;
+    if file.is_some() {
+        Err(ThothError::HostedFileUrlEditError)
+    } else {
+        Ok(())
+    }
+}
+
 impl CreatePolicy<NewWork> for WorkPolicy {
     fn can_create<C: PolicyContext>(ctx: &C, data: &NewWork, _params: ()) -> ThothResult<()> {
         ctx.require_publisher_for(data)?;
@@ -41,6 +52,10 @@ impl UpdatePolicy<Work, PatchWork> for WorkPolicy {
             ctx.require_work_lifecycle_for(patch)?;
         }
 
+        if patch.cover_url != current.cover_url {
+            ensure_no_hosted_file(ctx.db(), current.work_id)?;
+        }
+
         patch.validate()?;
 
         if current.is_published() && !patch.is_published() && !user.is_superuser() {
diff --git a/thoth-api/src/model/work_featured_video/policy.rs b/thoth-api/src/model/work_featured_video/policy.rs
@@ -1,3 +1,4 @@
+use crate::model::file::File;
 use crate::model::work::{Work, WorkType};
 use crate::model::work_featured_video::{
     NewWorkFeaturedVideo, PatchWorkFeaturedVideo, WorkFeaturedVideo,
@@ -8,7 +9,10 @@ use thoth_errors::{ThothError, ThothResult};
 
 /// Write policies for `WorkFeaturedVideo`.
 ///
-/// These policies enforce publisher scoping and prevent attachment to chapter records.
+/// These policies are responsible for:
+/// - enforcing publisher scoping
+/// - preventing attachment to chapter records
+/// - preventing manual update of auto-generated Thoth Hosting URLs
 pub struct WorkFeaturedVideoPolicy;
 
 fn ensure_work_is_book(db: &crate::db::PgPool, work_id: uuid::Uuid) -> ThothResult<()> {
@@ -20,6 +24,18 @@ fn ensure_work_is_book(db: &crate::db::PgPool, work_id: uuid::Uuid) -> ThothResu
     }
 }
 
+fn ensure_no_hosted_file(
+    db: &crate::db::PgPool,
+    work_featured_video_id: uuid::Uuid,
+) -> ThothResult<()> {
+    let file = File::from_work_featured_video_id(db, &work_featured_video_id)?;
+    if file.is_some() {
+        Err(ThothError::HostedFileUrlEditError)
+    } else {
+        Ok(())
+    }
+}
+
 impl CreatePolicy<NewWorkFeaturedVideo> for WorkFeaturedVideoPolicy {
     fn can_create<C: PolicyContext>(
         ctx: &C,
@@ -41,7 +57,12 @@ impl UpdatePolicy<WorkFeaturedVideo, PatchWorkFeaturedVideo> for WorkFeaturedVid
         ctx.require_publisher_for(current)?;
         ctx.require_publisher_for(patch)?;
         ensure_work_is_book(ctx.db(), current.work_id)?;
-        ensure_work_is_book(ctx.db(), patch.work_id)
+        ensure_work_is_book(ctx.db(), patch.work_id)?;
+
+        if patch.url != current.url {
+            ensure_no_hosted_file(ctx.db(), current.work_featured_video_id)?;
+        }
+        Ok(())
     }
 }
 
diff --git a/thoth-errors/src/lib.rs b/thoth-errors/src/lib.rs
@@ -164,6 +164,8 @@ pub enum ThothError {
     WorkFeaturedVideoFileUploadMissingWorkFeaturedVideoId,
     #[error("Accessibility report file upload missing publication_id")]
     AccessibilityReportFileUploadMissingPublicationId,
+    #[error("URLs of uploaded files cannot be overwritten.")]
+    HostedFileUrlEditError,
 }
 
 impl ThothError {

Original file line number	Diff line number	Diff line change
`@@ -164,6 +164,8 @@ pub enum ThothError {`
`164`	`164`	`WorkFeaturedVideoFileUploadMissingWorkFeaturedVideoId,`
`165`	`165`	`#[error("Accessibility report file upload missing publication_id")]`
`166`	`166`	`AccessibilityReportFileUploadMissingPublicationId,`
	`167`	`+ #[error("URLs of uploaded files cannot be overwritten.")]`
	`168`	`+ HostedFileUrlEditError,`
`167`	`169`	`}`
`168`	`170`
`169`	`171`	`impl ThothError {`