However PATCHing the same (or a partial) payload changes the place to the new value.
Please see the referenced quickstart that reproduces the problem.
I dug a bit into the issue and found out that during a PATCH request JsonPatchHandler calls DomainObjectMerger's read that omits the property checking whereas PUT calls readPut that does the property checks.
Note that this should also work using
@JsonProperty(access = Access.READ_ONLY)
but this isn't tested in the referenced project since a bug (DATAREST-1006 got fixed some hours ago) is responsible for also overrides on PUT
Just wanted to follow up on this as there wasn't any comment and I want to avoid that this one flies under the radar. Since this seems to be a major bug that also poses a security threat since properties that are supposed to be read-only can be overridden using PATCH
Thanks for the reply! Tested with 2.6.8.RELEASE (by explicitly adding spring-data-rest-core and spring-data-rest-webmvc with the version 2.6.8.RELEASE to the spring-data quickstart pom) and the bug is still there. I had a look at DATAREST-1006 before filing this issue and I don't think that the bugs are really related since DATAREST-1006 could be avoided with the @ReadOnlyProperty workaround