fix: not apply identiable token filter to uid length < 4 (#19272)

dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/query/operators/TokenOperator.java

@@ -61,7 +61,9 @@ public Criterion getHibernateCriterion(QueryPath queryPath) {
   @Override
   public <Y> Predicate getPredicate(CriteriaBuilder builder, Root<Y> root, QueryPath queryPath) {
     String value = caseSensitive ? getValue(String.class) : getValue(String.class).toLowerCase();
-
+    if (skipUidToken(value, queryPath)) {
+      return null;
+    }
     Predicate defaultSearch =
         builder.equal(
             builder.function(
@@ -94,4 +96,15 @@ public <Y> Predicate getPredicate(CriteriaBuilder builder, Root<Y> root, QueryPa
   public boolean test(Object value) {
     return TokenUtils.test(value, getValue(String.class), caseSensitive, matchMode);
   }
+
+  /**
+   * Return
+   *
+   * @param value
+   * @param query
+   * @return
+   */
+  private boolean skipUidToken(String value, QueryPath query) {
+    return "uid".equals(query.getProperty().getFieldName()) && value.length() < 4;
+  }
 }

dhis-2/dhis-services/dhis-service-core/src/test/java/org/hisp/dhis/query/TokenOperatorTest.java

@@ -28,11 +28,15 @@
 package org.hisp.dhis.query;
 
 import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertNull;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
 import org.hisp.dhis.query.operators.MatchMode;
 import org.hisp.dhis.query.operators.NotTokenOperator;
 import org.hisp.dhis.query.operators.TokenOperator;
+import org.hisp.dhis.query.planner.QueryPath;
+import org.hisp.dhis.schema.Property;
+import org.junit.jupiter.api.DisplayName;
 import org.junit.jupiter.api.Test;
 
 /**
@@ -43,6 +47,16 @@
  */
 class TokenOperatorTest {
 
+  @Test
+  @DisplayName("Uid Token filter must have at least 4 characters. Otherwise return null.")
+  void testUidLength() {
+    TokenOperator operator = new TokenOperator("ABC", false, MatchMode.ANYWHERE);
+    Property property = new Property();
+    property.setFieldName("uid");
+    QueryPath queryPath = new QueryPath(property, true);
+    assertNull(operator.getPredicate(null, null, queryPath));
+  }
+
   @Test
   void nullValue() {
     for (MatchMode mode : MatchMode.values()) {

dhis-2/dhis-test-web-api/src/test/java/org/hisp/dhis/webapi/controller/CrudControllerIntegrationTest.java

@@ -37,6 +37,7 @@
 import org.hisp.dhis.dataset.DataSet;
 import org.hisp.dhis.http.HttpStatus;
 import org.hisp.dhis.jsontree.JsonArray;
+import org.hisp.dhis.jsontree.JsonMixed;
 import org.hisp.dhis.organisationunit.OrganisationUnit;
 import org.hisp.dhis.setting.SystemSettingsService;
 import org.hisp.dhis.test.webapi.PostgresControllerIntegrationTestBase;
@@ -197,6 +198,30 @@ void testSearchTokenWithFallback() throws Exception {
             .isEmpty());
   }
 
+  @Test
+  @DisplayName("Should not apply token filter for UID if value has length < 4")
+  void testIdentifiableTokenFilterLength() {
+    assertStatus(
+        HttpStatus.CREATED,
+        POST(
+            "/organisationUnits/",
+            "{'name':'My Unit 1', 'shortName':'OU1', 'openingDate': '2020-01-01'}"));
+    String ou2 =
+        assertStatus(
+            HttpStatus.CREATED,
+            POST(
+                "/organisationUnits/",
+                "{'name':'My Unit 2', 'shortName':'OU2', 'openingDate': '2020-01-01'}"));
+
+    JsonMixed response =
+        GET("/organisationUnits?filter=identifiable:token:" + ou2.substring(0, 3)).content();
+    assertEquals(0, response.getArray("organisationUnits").size());
+
+    response = GET("/organisationUnits?filter=identifiable:token:" + ou2.substring(0, 4)).content();
+    assertEquals(1, response.getArray("organisationUnits").size());
+    assertEquals(ou2, response.getArray("organisationUnits").getObject(0).getString("id").string());
+  }
+
   private void setUpTranslation() {
     injectSecurityContextUser(getAdminUser());