Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

enhancement!: validate input in content API create and update controllers #20169

Merged
merged 24 commits into from May 7, 2024
Merged

enhancement!: validate input in content API create and update controllers #20169

merged 24 commits into from May 7, 2024

Conversation

innerdvations
Copy link
Contributor

@innerdvations innerdvations commented Apr 22, 2024
edited

What does it do?

  • coreController create and update methods call validateInput()
  • validateInput now throws on fields that don't exist on schema
  • fixes bug in validateInput where only the first traversal method was being called

Why is it needed?

To make it easier to debug content API create and update requests; we should not be silently removing anything from the users input data.

How to test it?

API tests have been added

To test manually, create a content type and try sending various types of bad input to it (create and update endpoints), and you should receive a 400 bad request instead of a 200/201 success.

Related issue(s)/PR(s)

DX-1136

innerdvations and others added 3 commits April 22, 2024 13:47
@innerdvations @Convly
enh: validate input from content API
c7d4298 
Co-authored-by: Jean-Sébastien Herbaux <Convly@users.noreply.github.com>
@innerdvations
chore: remove commented code
e22dd81
@innerdvations
chore: remove old comments
3ca17ed
@innerdvations innerdvations added flag: 💥 Breaking change This PR contains breaking changes and should not be merged pr: enhancement This PR adds or updates some part of the codebase or features source: core:core Source is core/core labels Apr 22, 2024
@innerdvations innerdvations self-assigned this Apr 22, 2024
@vercel Vercel
Copy link

vercel bot commented Apr 22, 2024
edited

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
contributor-docs ✅ Ready (Inspect) Visit Preview 💬 Add feedback May 2, 2024 8:46am

@Boegie19
Copy link
Collaborator

Could you give an example of 1?

Sure
Lets say I have a custom docuementServiceMiddleware.
Lets now say I have a soft delete plugin like https://github.com/ChristopheCVB/strapi-plugin-soft-delete
And I want to give a variable in the query to softdelete documentService middleware to see soft-deleted rows. so like
SeeDeletedEnteries=True or SeeDeletedEnteries=False

The way we currently do this with the entity-service is with adding an new variable to the ctx.query what is not filters, fields or populate

@innerdvations
Copy link
Contributor Author

Ahh, ok! For document service itself, I believe it either already has, or plans to have the ability to extend that context, but maybe @Marc-Roig can give more information on that.

@innerdvations innerdvations marked this pull request as ready for review April 24, 2024 14:11
@innerdvations innerdvations added the flag: don't merge This PR should not be merged at the moment label Apr 24, 2024
@innerdvations
Copy link
Contributor Author

Adding don't merge label for now until I can be sure we won't be breaking a lot more things than expected by preventing unrecognized attributes.

@Boegie19
Copy link
Collaborator

Boegie19 commented Apr 24, 2024
edited

Adding don't merge label for now until I can be sure we won't be breaking a lot more things than expected by preventing unrecognized attributes.

Removing unrecognized attributes should be fine as long as it is only done in fields, populate and filters only. this is fine since currently we already remove them in the controler when we senatize them the only diffrence would be we trow an error now while before it was done silently.

@Marc-Roig
Copy link
Contributor

Any middleware can extend the context in itself, in this case I would extend the context.params which is the one that includes, fields, filters, ...

@innerdvations innerdvations added flag: 💥 Breaking change This PR contains breaking changes and should not be merged and removed flag: 💥 Breaking change This PR contains breaking changes and should not be merged flag: don't merge This PR should not be merged at the moment labels Apr 26, 2024
@alexandrebodin alexandrebodin removed their request for review May 2, 2024 09:12
Bassel17
Bassel17 approved these changes May 7, 2024
View reviewed changes
Copy link
Member

@Bassel17 Bassel17 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

QAed!
LGTM

@innerdvations innerdvations merged commit 7a6d9a2 into v5/main May 7, 2024
86 of 91 checks passed
@innerdvations innerdvations deleted the enhancement/validate-input branch May 7, 2024 09:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Convly Convly Convly left review comments

@Bassel17 Bassel17 Bassel17 approved these changes

@Marc-Roig Marc-Roig Awaiting requested review from Marc-Roig

@jhoward1994 jhoward1994 Awaiting requested review from jhoward1994

Assignees

@innerdvations innerdvations

Labels
flag: 💥 Breaking change This PR contains breaking changes and should not be merged flag: documentation This PR requires a documentation update pr: enhancement This PR adds or updates some part of the codebase or features source: core:core Source is core/core
Projects
Breaking Change Issues
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@innerdvations @Boegie19 @Marc-Roig @Convly @Bassel17