1 files changed, 62 insertions, 26 deletions

diff --git a/src/backend/taler-merchant-httpd_private-patch-products-ID.c b/src/backend/taler-merchant-httpd_private-patch-products-ID.c
index 3ea9b112..46436d06 100644
--- a/src/backend/taler-merchant-httpd_private-patch-products-ID.c
+++ b/src/backend/taler-merchant-httpd_private-patch-products-ID.c
@@ -24,6 +24,7 @@
  */
 #include "platform.h"
 #include "taler-merchant-httpd_private-patch-products-ID.h"
+#include "taler-merchant-httpd_helper.h"
 #include <taler/taler_json_lib.h>
 
 
@@ -87,8 +88,6 @@ determine_cause (struct MHD_Connection *connection,
       ec = TALER_EC_MERCHANT_PRIVATE_PATCH_PRODUCTS_TOTAL_SOLD_REDUCED;
     if (pdx.total_stock > pd->total_stock)
       ec = TALER_EC_MERCHANT_PRIVATE_PATCH_PRODUCTS_TOTAL_STOCKED_REDUCED;
-    if (pd->total_stock < pd->total_sold + pd->total_lost)
-      ec = TALER_EC_MERCHANT_PRIVATE_PATCH_PRODUCTS_TOTAL_LOST_EXCEEDS_STOCKS;
     TALER_MERCHANTDB_product_details_free (&pdx);
     GNUNET_break (TALER_EC_GENERIC_INTERNAL_INVARIANT_FAILURE != ec);
     return TALER_MHD_reply_with_error (connection,
@@ -133,15 +132,15 @@ TMH_private_patch_products_ID (const struct TMH_RequestHandler *rh,
     GNUNET_JSON_spec_mark_optional (
       GNUNET_JSON_spec_json ("taxes",
                              &pd.taxes)),
-    GNUNET_JSON_spec_mark_optional (
-      GNUNET_JSON_spec_json ("address",
-                             &pd.address)),
     GNUNET_JSON_spec_int64 ("total_stock",
                             &total_stock),
     GNUNET_JSON_spec_mark_optional (
       GNUNET_JSON_spec_uint64 ("total_lost",
                                &pd.total_lost)),
     GNUNET_JSON_spec_mark_optional (
+      GNUNET_JSON_spec_json ("address",
+                             &pd.address)),
+    GNUNET_JSON_spec_mark_optional (
       TALER_JSON_spec_absolute_time ("next_restock",
                                      &pd.next_restock)),
     GNUNET_JSON_spec_end ()
@@ -170,7 +169,16 @@ TMH_private_patch_products_ID (const struct TMH_RequestHandler *rh,
     return TALER_MHD_reply_with_error (connection,
                                        MHD_HTTP_CONFLICT,
                                        TALER_EC_GENERIC_CURRENCY_MISMATCH,
-                                       NULL);
+                                       TMH_currency);
+  }
+  if (total_stock < -1)
+  {
+    GNUNET_break_op (0);
+    GNUNET_JSON_parse_free (spec);
+    return TALER_MHD_reply_with_error (connection,
+                                       MHD_HTTP_BAD_REQUEST,
+                                       TALER_EC_GENERIC_PARAMETER_MALFORMED,
+                                       "total_stock");
   }
   if (-1 == total_stock)
     pd.total_stock = INT64_MAX;
@@ -178,35 +186,63 @@ TMH_private_patch_products_ID (const struct TMH_RequestHandler *rh,
     pd.total_stock = (uint64_t) total_stock;
   if (NULL == pd.address)
     pd.address = json_object ();
+
+  if (! TMH_location_object_valid (pd.address))
+  {
+    GNUNET_break_op (0);
+    GNUNET_JSON_parse_free (spec);
+    return TALER_MHD_reply_with_error (connection,
+                                       MHD_HTTP_BAD_REQUEST,
+                                       TALER_EC_GENERIC_PARAMETER_MALFORMED,
+                                       "address");
+  }
   if (NULL == pd.description_i18n)
     pd.description_i18n = json_object ();
+
+  if (! TMH_i18n_object_valid (pd.description_i18n))
+  {
+    GNUNET_break_op (0);
+    GNUNET_JSON_parse_free (spec);
+    return TALER_MHD_reply_with_error (connection,
+                                       MHD_HTTP_BAD_REQUEST,
+                                       TALER_EC_GENERIC_PARAMETER_MALFORMED,
+                                       "description_i18n");
+  }
+
   if (NULL == pd.taxes)
-    pd.taxes = json_object ();
+    pd.taxes = json_array ();
+  /* check taxes is well-formed */
+  if (! TMH_taxes_array_valid (pd.taxes))
+  {
+    GNUNET_break_op (0);
+    GNUNET_JSON_parse_free (spec);
+    return TALER_MHD_reply_with_error (connection,
+                                       MHD_HTTP_BAD_REQUEST,
+                                       TALER_EC_GENERIC_PARAMETER_MALFORMED,
+                                       "taxes");
+  }
   if (NULL == pd.image)
     pd.image = "";
-  if (NULL != json_object_get (hc->request_body,
-                               "next_restock"))
+  if (! TMH_image_data_url_valid (pd.image))
   {
-    enum GNUNET_GenericReturnValue res;
-    struct GNUNET_JSON_Specification spec[] = {
-      TALER_JSON_spec_absolute_time ("next_restock",
-                                     &pd.next_restock),
-      GNUNET_JSON_spec_end ()
-    };
-
-    res = TALER_MHD_parse_json_data (connection,
-                                     hc->request_body,
-                                     spec);
-    if (GNUNET_OK != res)
-      return (GNUNET_NO == res)
-             ? MHD_YES
-             : MHD_NO;
+    GNUNET_break_op (0);
+    GNUNET_JSON_parse_free (spec);
+    return TALER_MHD_reply_with_error (connection,
+                                       MHD_HTTP_BAD_REQUEST,
+                                       TALER_EC_GENERIC_PARAMETER_MALFORMED,
+                                       "image");
   }
-  else
+  if ( (pd.total_stock < pd.total_sold + pd.total_lost) ||
+       (pd.total_sold + pd.total_lost < pd.total_sold) /* integer overflow */)
   {
-    pd.next_restock.abs_value_us = 0;
+    GNUNET_break_op (0);
+    GNUNET_JSON_parse_free (spec);
+    return TALER_MHD_reply_with_error (
+      connection,
+      MHD_HTTP_BAD_REQUEST,
+      TALER_EC_MERCHANT_PRIVATE_PATCH_PRODUCTS_TOTAL_LOST_EXCEEDS_STOCKS,
+      NULL);
   }
-
   qs = TMH_db->update_product (TMH_db->cls,
                                mi->settings.id,
                                product_id,