From c4f69fd9cbcc9dff08aa7cb2b38a1fc151d30e34 Mon Sep 17 00:00:00 2001
From: zadam <zadam.apps@gmail.com>
Date: Sat, 3 Jun 2023 00:21:46 +0200
Subject: [PATCH] don't allow patching relation's value in ETAPI #3998

---
 src/etapi/attributes.js | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/src/etapi/attributes.js b/src/etapi/attributes.js
index 6886e0845..fb8b2ad99 100644
--- a/src/etapi/attributes.js
+++ b/src/etapi/attributes.js
@@ -40,19 +40,25 @@ function register(router) {
         }
     });
 
-    const ALLOWED_PROPERTIES_FOR_PATCH = {
+    const ALLOWED_PROPERTIES_FOR_PATCH_LABEL = {
         'value': [v.notNull, v.isString],
         'position': [v.notNull, v.isInteger]
     };
 
+    const ALLOWED_PROPERTIES_FOR_PATCH_RELATION = {
+        'position': [v.notNull, v.isInteger]
+    };
+
     eu.route(router, 'patch' ,'/etapi/attributes/:attributeId', (req, res, next) => {
         const attribute = eu.getAndCheckAttribute(req.params.attributeId);
 
-        if (attribute.type === 'relation') {
+        if (attribute.type === 'label') {
+            eu.validateAndPatch(attribute, req.body, ALLOWED_PROPERTIES_FOR_PATCH_LABEL);
+        } else if (attribute.type === 'relation') {
             eu.getAndCheckNote(req.body.value);
-        }
 
-        eu.validateAndPatch(attribute, req.body, ALLOWED_PROPERTIES_FOR_PATCH);
+            eu.validateAndPatch(attribute, req.body, ALLOWED_PROPERTIES_FOR_PATCH_RELATION);
+        }
 
         attribute.save();