Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PATCH overrides ReadOnlyProperty [DATAREST-1144] #1507

Open
spring-projects-issues opened this issue Oct 4, 2017 · 5 comments
Open

PATCH overrides ReadOnlyProperty [DATAREST-1144] #1507

spring-projects-issues opened this issue Oct 4, 2017 · 5 comments
Assignees
Labels
status: feedback-provided type: bug

Comments

@spring-projects-issues
Copy link

@spring-projects-issues spring-projects-issues commented Oct 4, 2017

Michael S opened DATAREST-1144 and commented

PATCHing overrides a read-only property, PUTting doesn't.

E.g. using the following entity:

@Entity
public class Person {

	@Id
	@GeneratedValue(strategy = GenerationType.AUTO)
	private long id;

	private String firstName;
	private String lastName;
	
	@ReadOnlyProperty
	private String place;

	// snip
}

The property "place" gets set internally using

@HandleBeforeCreate
public void handleBeforeCreate(Person person) {
	if(person.getPlace() == null) {
		person.setPlace("The Shire");
	}
}

A PUT call using e.g. a json payload like the following results in an unchanged place:

{ "firstName" : "Frodo", "lastName" :"Baggins", "place" : "Mordor" } 

However PATCHing the same (or a partial) payload changes the place to the new value.

Please see the referenced quickstart that reproduces the problem.

I dug a bit into the issue and found out that during a PATCH request JsonPatchHandler calls DomainObjectMerger's read that omits the property checking whereas PUT calls readPut that does the property checks.

Note that this should also work using

@JsonProperty(access = Access.READ_ONLY) 

but this isn't tested in the referenced project since a bug (DATAREST-1006 got fixed some hours ago) is responsible for also overrides on PUT


Affects: 2.6.7 (Ingalls SR7)

Reference URL: https://github.com/msparer/gs-accessing-data-rest

1 votes, 3 watchers

@spring-projects-issues
Copy link
Author

@spring-projects-issues spring-projects-issues commented Oct 12, 2017

Michael S commented

Just wanted to follow up on this as there wasn't any comment and I want to avoid that this one flies under the radar. Since this seems to be a major bug that also poses a security threat since properties that are supposed to be read-only can be overridden using PATCH

@spring-projects-issues
Copy link
Author

@spring-projects-issues spring-projects-issues commented Oct 12, 2017

Oliver Drotbohm commented

Although this is filed for PATCH, I think it's a duplicate of DATAREST-1006 whcih was fixed in the recent Ingalls SR8. Would you mind giving the latest release a try?

@spring-projects-issues
Copy link
Author

@spring-projects-issues spring-projects-issues commented Oct 12, 2017

Michael S commented

Thanks for the reply! Tested with 2.6.8.RELEASE (by explicitly adding spring-data-rest-core and spring-data-rest-webmvc with the version 2.6.8.RELEASE to the spring-data quickstart pom) and the bug is still there. I had a look at DATAREST-1006 before filing this issue and I don't think that the bugs are really related since DATAREST-1006 could be avoided with the @ReadOnlyProperty workaround

@spring-projects-issues
Copy link
Author

@spring-projects-issues spring-projects-issues commented Apr 11, 2018

Norbert Somlai commented

This is still happening with 3.0.4.RELEASE and 3.0.6.RELEASE

@spring-projects-issues spring-projects-issues added status: waiting-for-feedback type: bug labels Dec 31, 2020
@spring-projects-issues
Copy link
Author

@spring-projects-issues spring-projects-issues commented Jan 7, 2021

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

@spring-projects-issues spring-projects-issues added the status: feedback-reminder label Jan 7, 2021
@gregturn gregturn added status: feedback-provided and removed status: feedback-reminder status: waiting-for-feedback labels Jan 11, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
status: feedback-provided type: bug
Projects
None yet
Development

No branches or pull requests

3 participants