fix: enforce sort_key is unique per user

jmattheis · jmattheis · commit c5a96c081408 · 2026-01-24T12:53:43.000+01:00
diff --git a/api/application.go b/api/application.go
@@ -12,6 +12,7 @@ import (
 	"github.com/gotify/server/v2/auth"
 	"github.com/gotify/server/v2/model"
 	"github.com/h2non/filetype"
+	"gorm.io/gorm"
 )
 
 // The ApplicationDatabase interface for encapsulating database access.
@@ -102,7 +103,8 @@ func (a *ApplicationAPI) CreateApplication(ctx *gin.Context) {
 			Internal:        false,
 		}
 
-		if success := successOrAbort(ctx, 500, a.DB.CreateApplication(&app)); !success {
+		if err := a.DB.CreateApplication(&app); err != nil {
+			handleApplicationError(ctx, err)
 			return
 		}
 		ctx.JSON(200, withResolvedImage(&app))
@@ -262,7 +264,8 @@ func (a *ApplicationAPI) UpdateApplication(ctx *gin.Context) {
 					app.SortKey = applicationParams.SortKey
 				}
 
-				if success := successOrAbort(ctx, 500, a.DB.UpdateApplication(app)); !success {
+				if err := a.DB.UpdateApplication(app); err != nil {
+					handleApplicationError(ctx, err)
 					return
 				}
 				ctx.JSON(200, withResolvedImage(app))
@@ -477,3 +480,11 @@ func ValidApplicationImageExt(ext string) bool {
 		return false
 	}
 }
+
+func handleApplicationError(ctx *gin.Context, err error) {
+	if errors.Is(err, gorm.ErrDuplicatedKey) {
+		ctx.AbortWithError(400, errors.New("sort key is not unique"))
+	} else {
+		ctx.AbortWithError(500, err)
+	}
+}
diff --git a/api/application_test.go b/api/application_test.go
@@ -647,6 +647,21 @@ func (s *ApplicationSuite) Test_UpdateApplication_WithoutPermission_expectNotFou
 	assert.Equal(s.T(), 404, s.recorder.Code)
 }
 
+func (s *ApplicationSuite) Test_UpdateApplication_duplicateSortKey() {
+	user := s.db.User(5)
+	user.App(1) // sortKey=a0
+	user.App(2) // sortKey=a1
+
+	s.withFormData("name=new_name&sortKey=a0")
+	test.WithUser(s.ctx, 5)
+	s.ctx.Params = gin.Params{{Key: "id", Value: "2"}}
+
+	s.a.UpdateApplication(s.ctx)
+
+	assert.EqualError(s.T(), s.ctx.Errors[0].Err, "sort key is not unique")
+	assert.Equal(s.T(), 400, s.recorder.Code)
+}
+
 func (s *ApplicationSuite) withFormData(formData string) {
 	s.ctx.Request = httptest.NewRequest("POST", "/token", strings.NewReader(formData))
 	s.ctx.Request.Header.Set("Content-Type", "application/x-www-form-urlencoded")
diff --git a/database/database.go b/database/database.go
@@ -36,6 +36,7 @@ func New(dialect, connection, defaultUser, defaultPass string, strength int, cre
 	gormConfig := &gorm.Config{
 		Logger:                                   dbLogger,
 		DisableForeignKeyConstraintWhenMigrating: true,
+		TranslateError:                           true,
 	}
 
 	var db *gorm.DB
diff --git a/model/application.go b/model/application.go
@@ -20,7 +20,7 @@ type Application struct {
 	// required: true
 	// example: AWH0wZ5r0Mbac.r
 	Token  string `gorm:"type:varchar(180);uniqueIndex:uix_applications_token" json:"token"`
-	UserID uint   `gorm:"index" json:"-"`
+	UserID uint   `gorm:"index;uniqueIndex:idx_id_sortkey,priority:1" json:"-"`
 	// The application name. This is how the application should be displayed to the user.
 	//
 	// required: true
@@ -58,5 +58,5 @@ type Application struct {
 	//
 	// required: false
 	// example: a1
-	SortKey string `form:"sortKey" query:"sortKey" json:"sortKey"`
+	SortKey string `gorm:"uniqueIndex:idx_id_sortkey,priority:2" form:"sortKey" query:"sortKey" json:"sortKey"`
 }

Original file line number	Diff line number	Diff line change
`@@ -12,6 +12,7 @@ import (`
`12`	`12`	`"github.com/gotify/server/v2/auth"`
`13`	`13`	`"github.com/gotify/server/v2/model"`
`14`	`14`	`"github.com/h2non/filetype"`
	`15`	`+ "gorm.io/gorm"`
`15`	`16`	`)`
`16`	`17`
`17`	`18`	`// The ApplicationDatabase interface for encapsulating database access.`
`@@ -102,7 +103,8 @@ func (a ApplicationAPI) CreateApplication(ctx gin.Context) {`
`102`	`103`	`Internal: false,`
`103`	`104`	`}`
`104`	`105`
`105`		`- if success := successOrAbort(ctx, 500, a.DB.CreateApplication(&app)); !success {`
	`106`	`+ if err := a.DB.CreateApplication(&app); err != nil {`
	`107`	`+ handleApplicationError(ctx, err)`
`106`	`108`	`return`
`107`	`109`	`}`
`108`	`110`	`ctx.JSON(200, withResolvedImage(&app))`
`@@ -262,7 +264,8 @@ func (a ApplicationAPI) UpdateApplication(ctx gin.Context) {`
`262`	`264`	`app.SortKey = applicationParams.SortKey`
`263`	`265`	`}`
`264`	`266`
`265`		`- if success := successOrAbort(ctx, 500, a.DB.UpdateApplication(app)); !success {`
	`267`	`+ if err := a.DB.UpdateApplication(app); err != nil {`
	`268`	`+ handleApplicationError(ctx, err)`
`266`	`269`	`return`
`267`	`270`	`}`
`268`	`271`	`ctx.JSON(200, withResolvedImage(app))`
`@@ -477,3 +480,11 @@ func ValidApplicationImageExt(ext string) bool {`
`477`	`480`	`return false`
`478`	`481`	`}`
`479`	`482`	`}`
	`483`	`+`
	`484`	`+func handleApplicationError(ctx *gin.Context, err error) {`
	`485`	`+ if errors.Is(err, gorm.ErrDuplicatedKey) {`
	`486`	`+ ctx.AbortWithError(400, errors.New("sort key is not unique"))`
	`487`	`+ } else {`
	`488`	`+ ctx.AbortWithError(500, err)`
	`489`	`+ }`
	`490`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -36,6 +36,7 @@ func New(dialect, connection, defaultUser, defaultPass string, strength int, cre`
`36`	`36`	`gormConfig := &gorm.Config{`
`37`	`37`	`Logger: dbLogger,`
`38`	`38`	`DisableForeignKeyConstraintWhenMigrating: true,`
	`39`	`+ TranslateError: true,`
`39`	`40`	`}`
`40`	`41`
`41`	`42`	`var db *gorm.DB`