test(post): return 403 for client generated ids

Issue #21

Author: jaredcnance

src/JsonApiDotNetCore/Controllers/JsonApiController.cs

@@ -1,4 +1,3 @@
-using System.Collections;
 using System.Collections.Generic;
 using System.Linq;
 using System.Threading.Tasks;
@@ -139,6 +138,10 @@ public virtual async Task<IActionResult> PostAsync([FromBody] T entity)
                 return UnprocessableEntity();
             }
 
+            var stringId = entity.Id.ToString();
+            if(stringId.Length > 0 && stringId != "0")
+                return Forbidden();
+
             await _entities.CreateAsync(entity);
 
             return Created(HttpContext.Request.Path, entity);

src/JsonApiDotNetCore/Controllers/JsonApiControllerMixin.cs

@@ -11,5 +11,10 @@ protected IActionResult UnprocessableEntity()
         {
             return new StatusCodeResult(422);
         }
+
+        protected IActionResult Forbidden()
+        {
+            return new StatusCodeResult(403);
+        }
     }
 }

test/JsonApiDotNetCoreExampleTests/Acceptance/Spec/CreatingDataTests.cs

@@ -0,0 +1,72 @@
+using System.Collections.Generic;
+using System.Net;
+using System.Net.Http;
+using System.Net.Http.Headers;
+using System.Threading.Tasks;
+using Bogus;
+using DotNetCoreDocs;
+using DotNetCoreDocs.Writers;
+using JsonApiDotNetCore.Serialization;
+using JsonApiDotNetCore.Services;
+using JsonApiDotNetCoreExample;
+using JsonApiDotNetCoreExample.Data;
+using JsonApiDotNetCoreExample.Models;
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.AspNetCore.TestHost;
+using Newtonsoft.Json;
+using Xunit;
+
+namespace JsonApiDotNetCoreExampleTests.Acceptance.Spec
+{
+    [Collection("WebHostCollection")]
+    public class CreatingDataTests
+    {
+        private DocsFixture<Startup, JsonDocWriter> _fixture;
+        private IJsonApiContext _jsonApiContext;
+        private Faker<TodoItem> _todoItemFaker;
+
+        public CreatingDataTests(DocsFixture<Startup, JsonDocWriter> fixture)
+        {
+            _fixture = fixture;
+            _jsonApiContext = fixture.GetService<IJsonApiContext>();
+             _todoItemFaker = new Faker<TodoItem>()
+                .RuleFor(t => t.Description, f => f.Lorem.Sentence())
+                .RuleFor(t => t.Ordinal, f => f.Random.Number());
+        }
+
+        [Fact]
+        public async Task Request_With_ClientGeneratedId_Returns_403()
+        {
+            // arrange
+            var builder = new WebHostBuilder()
+                .UseStartup<Startup>();
+            var httpMethod = new HttpMethod("POST");
+            var route = "/api/v1/todo-items";
+            var server = new TestServer(builder);
+            var client = server.CreateClient();
+            var request = new HttpRequestMessage(httpMethod, route);
+            var todoItem = _todoItemFaker.Generate();
+            var content = new
+            {
+                data = new
+                {
+                    type = "todo-items",
+                    id = "9999",
+                    attributes = new
+                    {
+                        description = todoItem.Description,
+                        ordinal = todoItem.Ordinal
+                    }
+                }
+            };
+            request.Content = new StringContent(JsonConvert.SerializeObject(content));
+            request.Content.Headers.ContentType = new MediaTypeHeaderValue("application/vnd.api+json");
+            
+            // act
+            var response = await client.SendAsync(request);
+
+            // assert
+            Assert.Equal(HttpStatusCode.Forbidden, response.StatusCode);
+        }
+    }
+}

test/JsonApiDotNetCoreExampleTests/Acceptance/Spec/DocumentTests/PagingTests.cs

@@ -13,7 +13,6 @@
 using JsonApiDotNetCoreExample.Data;
 using Bogus;
 using JsonApiDotNetCoreExample.Models;
-using System.Linq;
 using System;
 
 namespace JsonApiDotNetCoreExampleTests.Acceptance.Spec.DocumentTests