From f8c683f451d7f345a6aadf6a6845ab916e8aeb59 Mon Sep 17 00:00:00 2001
From: Girish Ramakrishnan <girish@cloudron.io>
Date: Fri, 25 Mar 2016 11:35:47 -0700
Subject: [PATCH] Disallow updating an app with mismatching manifest id

Story so far:
1. App installed from store. appStoreId is set to manifest.id.
2. User installed a custom built app with a custom manifest.id using cloudron install --app <id>. The appStoreId is still set.
3. When we make a new release, it overrides the users install.

The fix (for now) is:
1. Do not allow mismatching ids to start with.
2. When forced, it is allowed but appStoreId is cleared so as to not get any auto updates.

This leaves the user vulnerable to 'cloudron uninstall' simply autoselecting this new app.
For this, they have to simply disable CLI mode for now.

There is also a corner case where:
1. Dev installs from app store
2. Dev compiles from source and updates on top of app store install with --app <id>
3. Dev find out that his installation has auto-updated the next day.
---
 src/apps.js | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/src/apps.js b/src/apps.js
index 6cbb88956..ed378b49c 100644
--- a/src/apps.js
+++ b/src/apps.js
@@ -549,10 +549,21 @@ function update(appId, force, manifest, portBindings, icon, callback) {
         if (error && error.reason === DatabaseError.NOT_FOUND) return callback(new AppsError(AppsError.NOT_FOUND, 'No such app'));
         if (error) return callback(new AppsError(AppsError.INTERNAL_ERROR, error));
 
+        var appStoreId = app.appStoreId;
+
+        // prevent user from installing a app with different manifest id over an existing app
+        // this allows cloudron install -f --app <appid> for an app installed from the appStore
+        if (app.manifest.id !== manifest.id) {
+            if (!force) return callback(new AppsError(AppsError.BAD_FIELD, 'manifest id does not match. force to override'));
+            // clear appStoreId so that this app does not get updates anymore. this will mark is a dev app
+            appStoreId = '';
+        }
+
         // Ensure we update the memory limit in case the new app requires more memory as a minimum
         var memoryLimit = manifest.memoryLimit ? (app.memoryLimit < manifest.memoryLimit ? manifest.memoryLimit : app.memoryLimit) : app.memoryLimit;
 
         var values = {
+            appStoreId: appStoreId,
             manifest: manifest,
             portBindings: portBindings,
             memoryLimit: memoryLimit,