New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
enhancement!: validate input in content API create and update controllers #20169
Conversation
Co-authored-by: Jean-Sébastien Herbaux <Convly@users.noreply.github.com>
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
Sure The way we currently do this with the entity-service is with adding an new variable to the ctx.query what is not filters, fields or populate |
Ahh, ok! For document service itself, I believe it either already has, or plans to have the ability to extend that context, but maybe @Marc-Roig can give more information on that. |
Adding |
Removing unrecognized attributes should be fine as long as it is only done in fields, populate and filters only. this is fine since currently we already remove them in the controler when we senatize them the only diffrence would be we trow an error now while before it was done silently. |
Any middleware can extend the context in itself, in this case I would extend the context.params which is the one that includes, fields, filters, ... |
packages/core/admin/server/src/services/permission/permissions-manager/sanitize.ts
Show resolved
Hide resolved
packages/core/utils/src/validate/visitors/throw-unrecognized-fields.ts
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
QAed!
LGTM
What does it do?
coreController
create
andupdate
methods callvalidateInput()
validateInput
now throws on fields that don't exist on schemavalidateInput
where only the first traversal method was being calledWhy is it needed?
To make it easier to debug content API
create
andupdate
requests; we should not be silently removing anything from the users input data.How to test it?
API tests have been added
To test manually, create a content type and try sending various types of bad input to it (create and update endpoints), and you should receive a 400 bad request instead of a 200/201 success.
Related issue(s)/PR(s)
DX-1136