Malicious create request returns other users data

[duckblaster]

Describe the bug

If you set up personal table authentication as described in the documentation and send a create request with the item id set to an existing item belonging to another user, it will return a conflict response including the data belonging to the other user.

To Reproduce

Steps to reproduce the behavior:

1. Create a server following the tutorial
2. As user A, send a create request
3. As user B, send a create request using the same item id as step 2
4. User B sees the contents of the item created by user A in the conflict response

Expected behavior

Some other error that doesn't include the entity data

What platforms?

• Server:

  • Version of dotnet being used to compile? 9.0
  • Library versions? 9.05
  • What database are you using? EF Core
  • Where are you running the server? Visual Studio/Windows
  • GitHub repository containing the code (optional, but helps!)

• Client: N/A

[adrianhall]

Ack on the request. I’m currently moving internationally, and my stuff (including my main computer) is somewhere in the Atlantic at the moment. It will be mid-November before I can work on the docs.

In the interim, the fix for this is to return a 400 Bad Request instead of a 409/412 with a payload during the post-database request section. This is basically what I will be doing with the docs.