Tighten behavior around cross-container actions

Author: bbimber

laboratory/api-src/org/labkey/api/laboratory/assay/DefaultAssayParser.java

@@ -29,6 +29,7 @@
 import org.labkey.api.assay.AssayService;
 import org.labkey.api.collections.CaseInsensitiveHashMap;
 import org.labkey.api.data.Container;
+import org.labkey.api.data.ContainerManager;
 import org.labkey.api.data.ContainerType;
 import org.labkey.api.data.ConvertHelper;
 import org.labkey.api.data.SimpleFilter;
@@ -605,6 +606,18 @@ protected Map<String, Map<String, Object>> getTemplateRowMap(ImportContext conte
 
         Map<String, Object> map = maps[0];
         JSONObject templateJson = new JSONObject((String)map.get("json"));
+
+        // This enforces that the request and existing record are from the same container, including for workbook/parents:
+        Container rowContainer = ContainerManager.getForId(String.valueOf(map.get("container")));
+        if (rowContainer == null)
+        {
+            throw new IllegalStateException("Unable to determine the container for template: " + templateId);
+        }
+        else if (!rowContainer.equals(context.getViewContext().getContainer()))
+        {
+            throw new IllegalStateException("Template is from the wrong container: " + templateId);
+        }
+
         JSONArray rows = templateJson.getJSONArray("ResultRows");
         for (JSONObject row : JsonUtil.toJSONObjectList(rows))
         {

laboratory/src/org/labkey/laboratory/assay/AssayHelper.java

@@ -195,9 +195,10 @@ public void validateTemplate(User u, Container c, ExpProtocol protocol, @Nullabl
             throw errors;
         }
 
-        // Verify if this template exists and permissions:
+        // Verify if this template exists and permissions. This expects any existing row to be present in the current container:
         if (templateId != null)
         {
+            // This queries the current container+workbooks to identify the existence of rows in other reasonable containers:
             UserSchema us = QueryService.get().getUserSchema(u, c.getContainerFor(ContainerType.DataType.tabParent), "laboratory");
             TableInfo ti = us.getTable("assay_run_templates");
             TableSelector ts = new TableSelector(ti, PageFlowUtil.set("container"), new SimpleFilter(FieldKey.fromString("rowId"), templateId), null);
@@ -215,6 +216,12 @@ public void validateTemplate(User u, Container c, ExpProtocol protocol, @Nullabl
                     errors.addRowError(new ValidationException("The current user does not have permission to edit template: " + templateId));
                     throw errors;
                 }
+
+                if (!c.equals(rowContainer))
+                {
+                    errors.addRowError(new ValidationException("Template " + templateId + " is not from this folder"));
+                    throw errors;
+                }
             }
             else
             {