New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PUT request should respect updateOwn and readOwn fields list #521

Closed
jean-luc opened this Issue Dec 3, 2018 · 0 comments

Comments

Projects
None yet
3 participants
@jean-luc
Copy link
Member

jean-luc commented Dec 3, 2018

Where updateOwn is permitted against an ACL collection resource AND fields are defined – the list should be respected when updating the document. Fields not defined in the list should not be updated when the PUT request is handled.

Expected behavior

Given the access defined below, only field1 and field2 should be updated.

"updateOwn": {
    "fields": {
        "field1": 1,
        "field2": 1
    }
},
"readOwn": {
    "fields": {
        "field1": 1,
        "field2": 1
    }
}

Additionally, the response should respect the readOwn field list:

{
  "results": [
    {
      "_id": "5bf6b85d41111352da601beca",
      "field1": "example value 1",
      "field2": "example value 2"
    }
  ],
  "metadata": {
    ...
  }
}

Actual behavior

  1. It is possible to update any fields in the document. The update is not limited to fields defined in updateOwn.
  2. The response reveals the full document. The fields defined in readOwn are not respected.
{
  "results": [
    {
      "_apiVersion": "1.0",
      "_createdAt": 1542895709034,
      "_createdBy": "user_942821084861287",
      "_id": "5bf6b85d41111352da601beca",
      "_lastModifiedAt": 1543851418915,
      "_lastModifiedBy": "badassClient",
      "_version": 14,
      "field1": "example value 1",
      "field2": "example value 2",
      "field3": "example value 3",
      "field4": "example value 4"
    }
  ],
  "metadata": {
    ...
  }
}

** The same may be applicable to read and update but this hasn't been tested.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment