Manage Guestbook APIs to Edit Guestbooks and retrieve Guestbook Respo…

[stevenwinship]

What this PR does / why we need it: The user needs the ability to edit a Guestbook after creation (JSF allows this). Also an API is needed to retrieve the Guestbook Responses with more detailed Guestbook metadata and Guestbook Response metadata than the original API produced.

Which issue(s) this PR closes:#12386

• Closes Manage Guestbook API: Edit guestbook and Responses table #12386

Special notes for your reviewer:

Suggestions on how to test this:

Does this PR introduce a user interface change? If mockups are available, please link/include them here:

Is there a release notes update needed for this change?: included

Additional documentation:

[coveralls]

coverage: 25.049% (-0.02%) from 25.067% — 12386-manage-guestbook-apis into develop

[github-actions]

Test Results

398 tests  +1   382 ✅ ±0   37m 20s ⏱️ + 12m 9s
 54 suites +1    15 💤 ±0 
 54 files   +1     1 ❌ +1 

For more details on these failures, see this check.

Results for commit bc94b4c. ± Comparison against base commit 0a1817f.

♻️ This comment has been updated with latest results.

[rtreacy]

Claude Code review follows--

PR #12395 Review: Manage Guestbook APIs to Edit Guestbooks and Retrieve Guestbook Responses

Author: stevenwinship | Branch: 12386-manage-guestbook-apis → develop | Milestone: 6.11

Overview

This PR adds two new API endpoints:

1. PUT /api/guestbooks/{id} — Update an existing guestbook (name, settings, custom questions)
2. GET /api/guestbooks/{id}/responses — Retrieve paginated guestbook responses

It also improves JSON serialization with null-safety checks and better formatting.

---

Issues Found

1. SQL Injection Vulnerability (High)

File: GuestbookResponseServiceBean.java

TypedQuery query = em.createQuery(
"select o from GuestbookResponse as o where o.guestbook.id = " + guestbookId + " ...",
GuestbookResponse.class);

The guestbookId is concatenated directly into the JPQL string. While it's a Long (mitigating classic SQL injection), this is still a bad pattern — it bypasses the query cache and is
inconsistent with best practices. Should use a parameterized query:
em.createQuery("select o from GuestbookResponse as o where o.guestbook.id = :guestbookId order by o.responseTime desc", GuestbookResponse.class)
.setParameter("guestbookId", guestbookId);

Note: This is a pre-existing issue (the old code had it too), but the refactoring was an opportunity to fix it.

2. Missing Permission Check on Update Endpoint (Medium)

File: Guestbooks.java, updateGuestbook() method

The updateGuestbook method does not perform an explicit permission check before executing the command. It relies on the UpdateGuestbookCommand to enforce permissions internally. Compare this
to getResponses() which explicitly checks Permission.EditDataverse. While command-level permission enforcement is an accepted pattern in this codebase, the inconsistency within the same
file is worth calling out — verify that UpdateGuestbookCommand properly checks EditDataverse permission.

3. Potential NullPointerException in json(GuestbookResponse) (Medium)

File: JsonPrinter.java

guestbookResponseObject.add("dataset", gbResponse.getDataset().getDisplayName());
guestbookResponseObject.add("datasetPid", gbResponse.getDataset().getIdentifier());
guestbookResponseObject.add("type", gbResponse.getEventType());
guestbookResponseObject.add("fileName", gbResponse.getDataFile().getDisplayName());
guestbookResponseObject.add("fileId", gbResponse.getDataFile().getId());

If getDataset(), getDataFile(), or getEventType() returns null, this throws NPE. The existing code protects getAuthenticatedUser(), getEmail(), etc. with null checks — these fields should be
similarly guarded, especially since responses for deleted files/datasets could still exist.

4. Documentation Typo (Low)

File: doc/release-notes/12386-manage-guestbook-apis.md and native-api.rst

The curl example for the responses endpoint has ?limit10&offset=0 — missing the = sign after limit:
curl -H "X-Dataverse-key:$API_TOKEN" "$SERVER_URL/api/guestbooks/$ID/responses?limit10&offset=0"
Should be ?limit=10&offset=0.

5. Wildcard Import (Low)

File: Guestbooks.java

import edu.harvard.iq.dataverse.*;

The explicit imports were replaced with a wildcard import. This is generally discouraged as it can cause ambiguity and makes dependencies less clear. The codebase style appears to prefer
explicit imports.

6. Pagination Edge Case (Low)

File: Guestbooks.java, getResponses() method

if (next < totalResponseCount) {
guestbookPageObject.add("next", baseUrl + next);
}

The totalResponseCount comes from findCountByGuestbookId(guestbook.getId(), dataverse.getId()) which filters by dataverse, while the actual response list comes from
findAllByGuestbookId(guestbook.getId(), offset, limit) which does NOT filter by dataverse. These could produce inconsistent results if guestbooks are inherited across collections.

---

Code Quality & Style

• Good: The update endpoint follows the existing response(req -> {...}) pattern used elsewhere in the file.
• Good: Null-safety improvements to json(Guestbook) and json(CustomQuestion) for ID fields.
• Good: The customQuestions array is now only added when non-empty — cleaner JSON output.
• Good: Integration tests cover create → update → modify questions → disable flow.
• The pagination test in FilesIT.java is solid and verifies count consistency across pages.

Suggestions

1. Return empty list instead of null in findAllByGuestbookId when guestbookId is null — returning null from a collection-returning method forces null checks on callers.
2. Consider adding Content-Type: application/json to the updateGuestbook utility method in UtilIT.java — the PUT body is JSON but no content type header is set.
3. The createTime format change from .toString() to format() is a good improvement for consistency, but it's a subtle API contract change for existing consumers of GET /api/guestbooks/{id}.
   Worth noting in the release notes.

---

Summary

The PR delivers useful functionality and follows the project's existing patterns well. The main concerns are: (1) the JPQL concatenation should use a parameter, (2) potential NPEs in
json(GuestbookResponse) for orphaned data, and (3) the documentation has a typo in the curl example (limit10 instead of limit=10). Otherwise solid work.

---

The pr addresses the immediate issue. The question is whether we should follow up on the issues Claude raises, especially the High and Medium concerns. I lean toward doing that

[rtreacy]

per the discussion this morning, moving issues that go beyond current fix to another issue and approving

[github-actions]

📦 Pushed preview images as

ghcr.io/gdcc/dataverse:12386-manage-guestbook-apis

ghcr.io/gdcc/configbaker:12386-manage-guestbook-apis

🚢 See on GHCR. Use by referencing with full name as printed above, mind the registry name.