Problem/Motivation
#2824851: EntityResource::patch() makes an incorrect assumption about entity keys, hence results in incorrect behavior recently made very important fixes to the core REST module. In doing so, it introduced an important change, which follows https://en.wikipedia.org/wiki/Robustness_principle.
It allows one to send values in PATCH
requests, even for fields that the user is not allowed to modify, as long as they match the currently stored values.
This means developers can GET
an entity, decode it from JSON into an object/array structure in JS, change a value, encode it again into JSON, and have it work. Today, they cannot do that: they have to explicitly omit fields that the user is not allowed to modify, otherwise they'll get a 403!
Proposed resolution
Implement the same change in JSON API.
Remaining tasks
- Roll patch, which should copy/paste the logic from core, plus #2938035: When PATCHing a field is disallowed, no reason is given for *why* this happens to ensure we still send the same excellent field access 403 responses that JSON API already does better than core REST!
Wait for #2930028: Comprehensive JSON API integration test coverage phase 1: for every entity type, individual resources only to land.
User interface changes
None.
API changes
None.
Data model changes
None.
Comment | File | Size | Author |
---|---|---|---|
#12 | 2939810-12.patch | 6.73 KB | Wim Leers |
|
Comments
Comment #2
Wim LeersComment #3
Wim LeersComment #4
e0ipsoShould we add a "warning" or an "error" in the response now that we have support for the Partial Success extension?
We could highlight the fields that would be un-editable, and that are recommended to be dropped from the payload.
Comment #5
Wim LeersThere's no need for any warning at all when sending unchanged values for fields. That means you don't intend to change anything. Receiving warnings for things that are fine and safe seems unnecessarily scary?
Comment #6
Wim LeersIn that same issue, we ran into #2824851-157: EntityResource::patch() makes an incorrect assumption about entity keys, hence results in incorrect behavior:
And then in #2824851-194: EntityResource::patch() makes an incorrect assumption about entity keys, hence results in incorrect behavior:
The patch in #3 also fixes this case: it ensures that
User
'spass
field always gets set.This issue should therefore also re-activate the test coverage that #2930028-54: Comprehensive JSON API integration test coverage phase 1: for every entity type, individual resources only is adding in
\Drupal\Tests\jsonapi\Functional\UserTest::testPatchSecurityOtherUser()
Comment #7
Wim LeersRebased.
Comment #8
Wim Leers#2930028: Comprehensive JSON API integration test coverage phase 1: for every entity type, individual resources only (and #2932031: Comprehensive JSON API integration test coverage phase 2: for every entity type, complex use-cases) landed, this can now be worked on.
Comment #9
Wim LeersRebased #7 (had to fix some conflicts).
Comment #11
Wim LeersThat worked … for everything except
File
. Same exact failure on 8.4 and 8.6. Investigating…Comment #12
Wim LeersThat failed because
jsonapi
is adding aurl
computed field (which we'll deprecate in #2926463: [>=8.5] Remove JSON API's "file URL" field work-around now that Drupal core 8.5 fixed it), and the class corresponding to it does not compute it at all necessary times. This is similar to what we saw in Drupal core withNode
'spath
field. To solve that, we did #2392845: Add a trait to standardize handling of computed item lists, which introduced a trait to standardize how computed field classes should behave, to prevent the same class of bugs from appearing everywhere.In this case, it's failing because comparing the stored
File
entity'surl
field value with the value in thePATCH
request concluded that the stored and received values were not the same. But they really are.The solution is simple: updating
\Drupal\jsonapi\Field\FileDownloadUrl
to use the trait that #2392845 introduced.Comment #13
Wim Leers#12 is green on both 8.4 and 8.6!
Comment #14
gabesulliceLooks good. Super job watching out for the security pitfalls.
Comment #16
e0ipsoThere was a minor issue applying the patch. I think all went well after all.
Comment #17
e0ipsoComment #18
Wim Leers❤️🎉 — this was a very important one to land!