From ac2b2921d6050a112f9875b1329a54bf4c3c3a58 Mon Sep 17 00:00:00 2001
From: Doug Hellmann <doug@doughellmann.com>
Date: Tue, 30 Jan 2018 21:04:04 +0000
Subject: [PATCH] do not allow story id to change via payload

There is already an explicit check to prevent changing a task through
a URL referring to the wrong
story. storyboard.tests.api.test_tasks.TestTasksNestedController.test_update_error
is failing with sqlite when the story id of a task is modified, but it
fails with the wrong error (404 instead of 400). Update the controller
to test the case explicitly and return 400.

Change-Id: Iabbc9cc733cc96fe77b721d28ee350a9beab7613
Signed-off-by: Doug Hellmann <doug@doughellmann.com>
---
 storyboard/api/v1/tasks.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/storyboard/api/v1/tasks.py b/storyboard/api/v1/tasks.py
index 67d0dc13..0d9b96eb 100644
--- a/storyboard/api/v1/tasks.py
+++ b/storyboard/api/v1/tasks.py
@@ -664,6 +664,12 @@ class TasksNestedController(rest.RestController):
         if original_task.story_id != story_id:
             abort(400, _("URL story_id and task.story_id do not match"))
 
+        if task.story_id and original_task.story_id != task.story_id:
+            abort(
+                400,
+                _("the story_id of a task cannot be changed through this API"),
+            )
+
         task = task_is_valid_put(task, original_task)
 
         updated_task = tasks_api.task_update(task_id, task.as_dict(