From 9b48c380ea71b6563458a837ea0739fed1327be1 Mon Sep 17 00:00:00 2001 From: Karoline Tufte Lien Date: Wed, 1 Jul 2026 17:48:14 +0200 Subject: [PATCH] test: Add regression test for externalAuth PUT round-trip [DHIS2-17597] Adds a controller test asserting that a user's externalAuth flag survives repeated full GET/PUT round-trips. The reported bug (2.39-2.41) toggled externalAuth on each PUT; this guards against a regression on the UserController.putJsonObject -> MetadataImport -> merge path. Co-Authored-By: Claude Opus 4.8 (1M context) --- .../webapi/controller/UserControllerTest.java | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/dhis-2/dhis-test-web-api/src/test/java/org/hisp/dhis/webapi/controller/UserControllerTest.java b/dhis-2/dhis-test-web-api/src/test/java/org/hisp/dhis/webapi/controller/UserControllerTest.java index 04eeae212ea6..4bc335556602 100644 --- a/dhis-2/dhis-test-web-api/src/test/java/org/hisp/dhis/webapi/controller/UserControllerTest.java +++ b/dhis-2/dhis-test-web-api/src/test/java/org/hisp/dhis/webapi/controller/UserControllerTest.java @@ -932,6 +932,31 @@ void testPutJsonObject() { PUT("/38/users/" + peter.getUid(), user.toString()).content(HttpStatus.OK)); } + @Test + @DisplayName("externalAuth is preserved across repeated full GET/PUT round-trips (DHIS2-17597)") + void testPutJsonObjectPreservesExternalAuth() { + // given a user that authenticates externally (e.g. OIDC/LDAP) + User user = userService.getUser(peter.getUid()); + user.setExternalAuth(true); + userService.updateUser(user); + + // when the full representation is fetched and PUT back unchanged + JsonObject body = GET("/users/{id}", peter.getUid()).content(); + assertTrue( + body.getBoolean("externalAuth").booleanValue(), + "precondition: fetched payload should carry externalAuth=true"); + assertStatus(HttpStatus.OK, PUT("/users/" + peter.getUid(), body.toString())); + assertTrue( + userService.getUser(peter.getUid()).isExternalAuth(), + "externalAuth must remain true after the first round-trip PUT"); + + // and again with the identical payload: guards against the reported true<->false toggle + assertStatus(HttpStatus.OK, PUT("/users/" + peter.getUid(), body.toString())); + assertTrue( + userService.getUser(peter.getUid()).isExternalAuth(), + "externalAuth must remain true after a second identical PUT (no toggle)"); + } + @Test void testPutJsonObject_AddUserGroupLastUpdatedByUpdated() throws JsonProcessingException { // create user