Commit 96aaa13

bpleshakovsliverc

authored and

committed

Enforce conflict response when requested PATCH resource object is unequal to endpoint (#763)

A server MUST return 409 Conflict when processing a PATCH request in which the resource object’s type and id do not match the server’s endpoint.

1 parent e3ae420 commit 96aaa13Copy full SHA for 96aaa13

File tree

+34

-0

lines changed

+34

-0

lines changed

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -2,6 +2,7 @@ Adam Wróbel <https://adamwrobel.com>`
`2`	`2`	`Adam Ziolkowski <adam@adsized.com>`
`3`	`3`	`Alan Crosswell <alan@columbia.edu>`
`4`	`4`	`Anton Shutik <shutikanton@gmail.com>`
	`5`	`+Boris Pleshakov <koordinator.kun@gmail.com>`
`5`	`6`	`Christian Zosel <https://zosel.ch>`
`6`	`7`	`David Vogt <david.vogt@adfinis-sygroup.ch>`
`7`	`8`	`Greg Aker <greg@gregaker.net>`

Lines changed: 4 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,10 @@ any parts of the framework not mentioned in the documentation should generally b`
`16`	`16`	`* Added support for Django REST framework 3.11`
`17`	`17`	`* Added support for Django 3.0`
`18`	`18`
	`19`	`+### Fixed`
	`20`	`+`
	`21`	+* Ensure that `409 Conflict` is returned when processing a `PATCH` request in which the resource object’s type and id do not match the server’s endpoint properly as outlined in [JSON:API](https://jsonapi.org/format/#crud-updating-responses-409) spec.
	`22`	`+`
`19`	`23`	`## [3.0.0] - 2019年10月14日`
`20`	`24`
`21`	`25`	`This release is not backwards compatible. For easy migration best upgrade first to version`

Lines changed: 18 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -185,6 +185,24 @@ def test_patch_requires_id(self):`
`185`	`185`
`186`	`186`	`self.assertEqual(response.status_code, 400)`
`187`	`187`
	`188`	`+ def test_patch_requires_correct_id(self):`
	`189`	`+ """`
	`190`	`+ Verify that 'id' is the same then in url`
	`191`	`+ """`
	`192`	`+ data = {`
	`193`	`+ 'data': {`
	`194`	`+ 'type': 'users',`
	`195`	`+ 'id': self.miles.pk + 1,`
	`196`	`+ 'attributes': {`
	`197`	`+ 'first-name': 'DifferentName'`
	`198`	`+ }`
	`199`	`+ }`
	`200`	`+ }`
	`201`	`+`
	`202`	`+ response = self.client.patch(self.detail_url, data=data)`
	`203`	`+`
	`204`	`+ self.assertEqual(response.status_code, 409)`
	`205`	`+`
`188`	`206`	`def test_key_in_post(self):`
`189`	`207`	`"""`
`190`	`208`	`Ensure a key is in the post.`

Lines changed: 11 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -139,6 +139,17 @@ def parse(self, stream, media_type=None, parser_context=None):`
`139`	`139`	`if not data.get('id') and request.method in ('PATCH', 'PUT'):`
`140`	`140`	`raise ParseError("The resource identifier object must contain an 'id' member")`
`141`	`141`
	`142`	`+ if request.method in ('PATCH', 'PUT'):`
	`143`	`+ lookup_url_kwarg = view.lookup_url_kwarg or view.lookup_field`
	`144`	`+ if str(data.get('id')) != str(view.kwargs[lookup_url_kwarg]):`
	`145`	`+ raise exceptions.Conflict(`
	`146`	`+ "The resource object's id ({data_id}) does not match url's "`
	`147`	`+ "lookup id ({url_id})".format(`
	`148`	`+ data_id=data.get('id'),`
	`149`	`+ url_id=view.kwargs[view.lookup_field]`
	`150`	`+ )`
	`151`	`+ )`
	`152`	`+`
`142`	`153`	`# Construct the return data`
`143`	`154`	`serializer_class = getattr(view, 'serializer_class', None)`
`144`	`155`	`parsed_data = {'id': data.get('id')} if 'id' in data else {}`

Comments

(0)