fix: fix bugs in the endpoint for updating endorsements

[Shyam-Vishwakarma]

Date: 3rd June 2025

Developer Name: @Shyam-Vishwakarma

Issue Ticket Number

• Closes: [BUG] Fix bugs in PATCH /v1/endorsements/{id} endpoint #206
  • Closes: [BUG] User can update an endorsement which is endorsed by other user #201
  • Closes: [BUG] User can update an endorsement with empty message #202
  • Closes: [BUG] Endorsement is updated even if there is an error in getting endorse or endorser details #205

Description

• Fixed the bugs in endpoint for updating endorsements:

  • Made changes to ensure that endorsements are not updated with an empty message
  • Before updating the endorsements, ownership is being checked now. If user is endorser in the endorsement to be updated, then only changes will be allowed.
  • User detail is being fetched before making changes in the database so that if there is any error fetching in user details then there won't be any in the DB.

• Enabled the test cases that were disabled because they were failing due to bugs that are fixed in this pr.

Documentation Updated?

• Yes
• No

Under Feature Flag

• Yes
• No

Database Changes

• Yes
• No

Breaking Changes

• Yes
• No

Development Tested?

• Yes
• No

Screenshots

Screenshot 1

Build success:

cmd: mvn verify --file skill-tree/pom.xml -P git-build-profile -Dskip-tests=true

Test Coverage

Screenshot 1

All tests passing:

Description by Korbit AI

What change is being made?

Add development mode parameter to endpoint for updating endorsements, implement checks for authorization and invalid operation handling, and enhance tests to verify non-dev mode restriction.

Why are these changes being made?

The changes address bugs by ensuring updates to endorsements only occur in development mode through a new dev query parameter. This addition helps differentiate between environments and provides error handling for attempts to perform updates outside of development settings, improving security and intention clarity. Additionally, tests previously disabled due to bugs have been enabled and extended to ensure proper functionality under the new constraint.

Is this description stale? Ask me to generate a new description by commenting /korbit-generate-pr-description

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Summary by CodeRabbit

• New Features
  • Added an optional "dev" parameter to the endorsement update endpoint, enabling additional authorization checks when updating endorsements.
• Improvements
  • Enhanced validation for endorsement messages to reject empty or whitespace-only inputs.
• Tests
  • Re-enabled previously disabled integration tests for endorsement updates.
  • Updated tests to cover scenarios using the new "dev" parameter.

Walkthrough

The update method for endorsements was modified to accept an optional "dev" boolean parameter, enabling stricter authorization checks when set. The validation for the endorsement message was strengthened to require non-blank values. Integration tests were updated to re-enable and exercise these new behaviors using the "dev" parameter.

Changes

File(s)	Change Summary
.../apis/EndorsementsApi.java	Updated update method to accept a boolean "dev" parameter and pass it to the service layer.
.../services/EndorsementService.java .../EndorsementServiceImplementation.java	Modified update method signatures to include "isDev" parameter; implemented stricter authorization when true.
.../viewmodels/UpdateEndorsementViewModel.java	Changed validation annotation on "message" from @NotNull to @notblank.
.../integration/skills/UpdateEndorsementsIntegrationTest.java	Re-enabled previously disabled tests; added "isDev" query parameter to relevant test requests.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant EndorsementsApi
    participant EndorsementService
    participant Database
    participant RdsService

    Client->>EndorsementsApi: PATCH /endorsements/{id}?dev=true
    EndorsementsApi->>EndorsementService: update(id, body, isDev=true)
    EndorsementService->>Database: Retrieve endorsement by id
    Database-->>EndorsementService: Endorsement details
    EndorsementService->>RdsService: Get current user details
    RdsService-->>EndorsementService: User details
    EndorsementService->>EndorsementService: Check if user is endorser
    alt User is endorser
        EndorsementService->>Database: Update endorsement
        Database-->>EndorsementService: Updated endorsement
        EndorsementService-->>EndorsementsApi: EndorsementViewModel
    else Not endorser or error
        EndorsementService-->>EndorsementsApi: Error/Forbidden
    end
    EndorsementsApi-->>Client: Response

Loading

Assessment against linked issues

Objective	Addressed	Explanation
Only the endorser can update their endorsement (#201, #206)	✅
System should validate that the message field is not empty (#202, #206)	✅
Update operation must be atomic; no update if user/endorser details retrieval fails (#205, #206)	✅

Suggested reviewers

• MayankBansal12
• iamitprakash

Poem

A patch for the tree, with care it was grown,
Now only the endorser may edit what's sown.
No blank words allowed—each message must gleam,
And atomicity rules, like a well-oiled machine.
With tests now enabled, the bugs run away—
The skill-tree stands stronger, hooray for today! 🐇🌳

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 3

🔭 Outside diff range comments (3)

skill-tree/src/main/java/com/RDS/skilltree/services/EndorsementServiceImplementation.java (3)

167-167: 🧹 Nitpick (assertive)

Use parameterized logging instead of String.format.

For consistency with the rest of the codebase and better performance, use parameterized logging.

-log.info(String.format("Endorsement with id: %s not found", endorsementId));
+log.info("Endorsement with id: {} not found", endorsementId);

---

179-188: ⚠️ Potential issue

Fetch user details before database changes to prevent inconsistencies.

According to the PR objectives, user details should be fetched before making database changes to avoid database errors if user detail retrieval fails. The current implementation saves the endorsement first, which could lead to data inconsistencies.

-Endorsement savedEndorsementDetails = endorsementRepository.save(endorsement);
 RdsGetUserDetailsResDto endorseDetails =
-        rdsService.getUserDetails(savedEndorsementDetails.getEndorseId());
+        rdsService.getUserDetails(endorsement.getEndorseId());
 RdsGetUserDetailsResDto endorserDetails =
-        rdsService.getUserDetails(savedEndorsementDetails.getEndorserId());
+        rdsService.getUserDetails(endorsement.getEndorserId());
+
+Endorsement savedEndorsementDetails = endorsementRepository.save(endorsement);

 return EndorsementViewModel.toViewModel(
         savedEndorsementDetails,
         UserViewModel.toViewModel(endorseDetails.getUser()),
         UserViewModel.toViewModel(endorserDetails.getUser()));

---

130-188: 🧹 Nitpick (assertive)

🛠️ Refactor suggestion

Consider unifying the authorization logic across both paths.

The current implementation creates two distinct behaviors based on the isDev flag:

• The dev path includes ownership checks and early user fetching
• The non-dev path lacks these security features

This dual behavior raises several concerns:

1. Security: The non-dev path allows any authenticated user to update any endorsement, which could be a security vulnerability
2. Maintainability: Having two different code paths increases complexity and the chance of bugs
3. Code duplication: Both paths share similar logic that could be refactored

Consider applying the ownership check and early user fetching to both paths, removing the need for the isDev parameter. If a gradual rollout is needed, use a proper feature flag system that can be toggled without code changes.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 526e35a and 2f3f3bd.

📒 Files selected for processing (5)

• skill-tree/src/main/java/com/RDS/skilltree/apis/EndorsementsApi.java (1 hunks)
• skill-tree/src/main/java/com/RDS/skilltree/services/EndorsementService.java (1 hunks)
• skill-tree/src/main/java/com/RDS/skilltree/services/EndorsementServiceImplementation.java (2 hunks)
• skill-tree/src/main/java/com/RDS/skilltree/viewmodels/UpdateEndorsementViewModel.java (1 hunks)
• skill-tree/src/test/java/com/RDS/skilltree/integration/skills/UpdateEndorsementsIntegrationTest.java (4 hunks)

🧰 Additional context used

🧬 Code Graph Analysis (2)

skill-tree/src/main/java/com/RDS/skilltree/services/EndorsementServiceImplementation.java (1)

skill-tree/src/main/java/com/RDS/skilltree/utils/Constants.java (1)

• ExceptionMessages (6-18)

skill-tree/src/main/java/com/RDS/skilltree/viewmodels/UpdateEndorsementViewModel.java (1)

skill-tree/src/main/java/com/RDS/skilltree/utils/Constants.java (1)

• ExceptionMessages (6-18)

🔇 Additional comments (7)

skill-tree/src/main/java/com/RDS/skilltree/viewmodels/UpdateEndorsementViewModel.java (2)

4-4: Good improvement in validation annotation.

The change from @NotNull to @NotBlank import is correct and necessary for the enhanced validation.

---

11-11: Excellent validation enhancement.

Changing from @NotNull to @NotBlank is a significant improvement that prevents empty strings and whitespace-only messages, not just null values. This directly addresses the PR objective of preventing endorsements from being updated with empty messages.

skill-tree/src/test/java/com/RDS/skilltree/integration/skills/UpdateEndorsementsIntegrationTest.java (4)

62-62: Good addition of test constant.

The isDev constant is well-named and will be used to test the new authorization logic when the dev flag is enabled.

---

208-209: Correct test modification for authorization scenario.

The addition of isDev parameter to this test case is appropriate since this test verifies that users cannot update endorsements they didn't create. This enables the stricter authorization check that should prevent the update.

---

258-259: Appropriate use of dev flag in error scenario test.

Adding the isDev parameter to this test is correct as it tests the scenario where RDS service fails to get endorser details. With the dev flag enabled, the authorization check will be attempted, making this test relevant for the new functionality.

---

287-288: Correct application of dev flag for endorse details failure test.

The isDev parameter is appropriately added to test the scenario where getting endorse details fails. This ensures the new authorization logic is exercised even when user detail retrieval fails.

skill-tree/src/main/java/com/RDS/skilltree/services/EndorsementServiceImplementation.java (1)

130-162: Good implementation of authorization checks and early user fetching.

The new conditional logic when isDev=true correctly implements:

• Ownership verification before allowing updates
• Early user detail fetching to prevent database changes if user retrieval fails
• Proper exception handling with descriptive messages

This aligns well with the PR objectives.

[iamitprakash]

please check below solution and make changes accordingly

[Shyam-Vishwakarma]

please check below solution and make changes accordingly

@iamitprakash sir, I've made the changes:

        if (endorsement.getEndorserId().equals(userId)) {
            RdsGetUserDetailsResDto endorseDetails =
                    rdsService.getUserDetails(endorsement.getEndorseId());
            RdsGetUserDetailsResDto endorserDetails = rdsService.getUserDetails(userId);

            endorsement.setMessage(body.getMessage());
            Endorsement savedEndorsementDetails = endorsementRepository.save(endorsement);

            return EndorsementViewModel.toViewModel(
                    savedEndorsementDetails,
                    UserViewModel.toViewModel(endorseDetails.getUser()),
                    UserViewModel.toViewModel(endorserDetails.getUser()));
        } else {
            log.warn("User: {} is not authorized to update endorsement: {}", userId, endorsementId);
            throw new ForbiddenException(ExceptionMessages.UNAUTHORIZED_ENDORSEMENT_UPDATE);
        }

UserDetails are needed to create EndorsementViewModel and according to CFD, view-model should be prepared after updating the endorsement.
But I am fetching user details before updating the endorsement so that if there is any error finding user details then endorsement do not update. If I do it after, then there will be a need of rollback.