PATCH overrides ReadOnlyProperty [DATAREST-1144]

[spring-projects-issues]

Michael S opened DATAREST-1144 and commented

PATCHing overrides a read-only property, PUTting doesn't.

E.g. using the following entity:

@Entity
public class Person {

	@Id
	@GeneratedValue(strategy = GenerationType.AUTO)
	private long id;

	private String firstName;
	private String lastName;
	
	@ReadOnlyProperty
	private String place;

	// snip
}

The property "place" gets set internally using

@HandleBeforeCreate
public void handleBeforeCreate(Person person) {
	if(person.getPlace() == null) {
		person.setPlace("The Shire");
	}
}

A PUT call using e.g. a json payload like the following results in an unchanged place:

{ "firstName" : "Frodo", "lastName" :"Baggins", "place" : "Mordor" } 

However PATCHing the same (or a partial) payload changes the place to the new value.

Please see the referenced quickstart that reproduces the problem.

I dug a bit into the issue and found out that during a PATCH request JsonPatchHandler calls DomainObjectMerger's read that omits the property checking whereas PUT calls readPut that does the property checks.

Note that this should also work using

@JsonProperty(access = Access.READ_ONLY) 

but this isn't tested in the referenced project since a bug (DATAREST-1006 got fixed some hours ago) is responsible for also overrides on PUT

---

Affects: 2.6.7 (Ingalls SR7)

Reference URL: https://github.com/msparer/gs-accessing-data-rest

1 votes, 3 watchers

[spring-projects-issues]

Michael S commented

Just wanted to follow up on this as there wasn't any comment and I want to avoid that this one flies under the radar. Since this seems to be a major bug that also poses a security threat since properties that are supposed to be read-only can be overridden using PATCH

[spring-projects-issues]

Oliver Drotbohm commented

Although this is filed for PATCH, I think it's a duplicate of DATAREST-1006 whcih was fixed in the recent Ingalls SR8. Would you mind giving the latest release a try?

[spring-projects-issues]

Michael S commented

Thanks for the reply! Tested with 2.6.8.RELEASE (by explicitly adding spring-data-rest-core and spring-data-rest-webmvc with the version 2.6.8.RELEASE to the spring-data quickstart pom) and the bug is still there. I had a look at DATAREST-1006 before filing this issue and I don't think that the bugs are really related since DATAREST-1006 could be avoided with the @ReadOnlyProperty workaround

[spring-projects-issues]

Norbert Somlai commented

This is still happening with 3.0.4.RELEASE and 3.0.6.RELEASE

[spring-projects-issues]

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.