Fixed: fail on mismatch between ID in patch request body and ID in URL.

Bart Koelman · Bart Koelman · commit e82ab39beaaa · 2020-04-29T12:41:32.000+02:00
diff --git a/src/JsonApiDotNetCore/Exceptions/ResourceIdMismatchException.cs b/src/JsonApiDotNetCore/Exceptions/ResourceIdMismatchException.cs
@@ -0,0 +1,20 @@
+using System.Net;
+using JsonApiDotNetCore.Models.JsonApiDocuments;
+
+namespace JsonApiDotNetCore.Exceptions
+{
+    /// <summary>
+    /// The error that is thrown when the resource id in the request body does not match the id in the current endpoint URL.
+    /// </summary>
+    public sealed class ResourceIdMismatchException : JsonApiException
+    {
+        public ResourceIdMismatchException(string bodyId, string endpointId, string requestPath)
+            : base(new Error(HttpStatusCode.Conflict)
+            {
+                Title = "Resource id mismatch between request body and endpoint URL.",
+                Detail = $"Expected resource id '{endpointId}' in PATCH request body at endpoint '{requestPath}', instead of '{bodyId}'."
+            })
+        {
+        }
+    }
+}
diff --git a/src/JsonApiDotNetCore/Formatters/JsonApiReader.cs b/src/JsonApiDotNetCore/Formatters/JsonApiReader.cs
@@ -3,6 +3,7 @@
 using System.IO;
 using System.Threading.Tasks;
 using JsonApiDotNetCore.Exceptions;
+using JsonApiDotNetCore.Managers.Contracts;
 using JsonApiDotNetCore.Models;
 using JsonApiDotNetCore.Serialization.Server;
 using Microsoft.AspNetCore.Http.Extensions;
@@ -15,12 +16,15 @@ namespace JsonApiDotNetCore.Formatters
     public class JsonApiReader : IJsonApiReader
     {
         private readonly IJsonApiDeserializer _deserializer;
+        private readonly ICurrentRequest _currentRequest;
         private readonly ILogger<JsonApiReader> _logger;
 
         public JsonApiReader(IJsonApiDeserializer deserializer,
-                             ILoggerFactory loggerFactory)
+            ICurrentRequest currentRequest,
+            ILoggerFactory loggerFactory)
         {
             _deserializer = deserializer;
+            _currentRequest = currentRequest;
             _logger = loggerFactory.CreateLogger<JsonApiReader>();
         }
 
@@ -57,46 +61,56 @@ public async Task<InputFormatterResult> ReadAsync(InputFormatterContext context)
 
             if (context.HttpContext.Request.Method == "PATCH")
             {
-                var hasMissingId = model is IList list ? CheckForId(list) : CheckForId(model);
+                bool hasMissingId = model is IList list ? HasMissingId(list) : HasMissingId(model);
                 if (hasMissingId)
                 {
                     throw new InvalidRequestBodyException("Payload must include id attribute.", null, body);
                 }
+
+                if (!_currentRequest.IsRelationshipPath && TryGetId(model, out var bodyId) && bodyId != _currentRequest.BaseId)
+                {
+                    throw new ResourceIdMismatchException(bodyId, _currentRequest.BaseId, context.HttpContext.Request.GetDisplayUrl());
+                }
             }
 
             return await InputFormatterResult.SuccessAsync(model);
         }
 
         /// <summary> Checks if the deserialized payload has an ID included </summary>
-        private bool CheckForId(object model)
+        private bool HasMissingId(object model)
         {
-            if (model == null) return false;
-            if (model is ResourceObject ro)
-            {
-                if (string.IsNullOrEmpty(ro.Id)) return true;
-            }
-            else if (model is IIdentifiable identifiable)
+            return TryGetId(model, out string id) && string.IsNullOrEmpty(id);
+        }
+
+        /// <summary> Checks if all elements in the deserialized payload have an ID included </summary>
+        private bool HasMissingId(IEnumerable models)
+        {
+            foreach (var model in models)
             {
-                if (string.IsNullOrEmpty(identifiable.StringId)) return true;
+                if (TryGetId(model, out string id) && string.IsNullOrEmpty(id))
+                {
+                    return true;
+                }
             }
+
             return false;
         }
 
-        /// <summary> Checks if the elements in the deserialized payload have an ID included </summary>
-        private bool CheckForId(IList modelList)
+        private static bool TryGetId(object model, out string id)
         {
-            foreach (var model in modelList)
+            if (model is ResourceObject resourceObject)
             {
-                if (model == null) continue;
-                if (model is ResourceObject ro)
-                {
-                    if (string.IsNullOrEmpty(ro.Id)) return true;
-                }
-                else if (model is IIdentifiable identifiable)
-                {
-                    if (string.IsNullOrEmpty(identifiable.StringId)) return true;
-                }
+                id = resourceObject.Id;
+                return true;
             }
+
+            if (model is IIdentifiable identifiable)
+            {
+                id = identifiable.StringId;
+                return true;
+            }
+
+            id = null;
             return false;
         }
 
diff --git a/test/JsonApiDotNetCoreExampleTests/Acceptance/Spec/UpdatingDataTests.cs b/test/JsonApiDotNetCoreExampleTests/Acceptance/Spec/UpdatingDataTests.cs
@@ -178,7 +178,42 @@ public async Task Respond_422_If_IdNotInAttributeList()
             Assert.Equal("Failed to deserialize request body: Payload must include id attribute.", error.Title);
             Assert.StartsWith("Request body: <<", error.Detail);
         }
-        
+
+        [Fact]
+        public async Task Respond_409_If_IdInUrlIsDifferentFromIdInRequestBody()
+        {
+            // Arrange
+            var todoItem = _todoItemFaker.Generate();
+            todoItem.CreatedDate = DateTime.Now;
+
+            _context.TodoItems.Add(todoItem);
+            _context.SaveChanges();
+
+            var wrongTodoItemId = todoItem.Id + 1;
+
+            var builder = new WebHostBuilder().UseStartup<Startup>();
+            var server = new TestServer(builder);
+            var client = server.CreateClient();
+            var serializer = _fixture.GetSerializer<TodoItem>(ti => new {ti.Description, ti.Ordinal, ti.CreatedDate});
+            var content = serializer.Serialize(todoItem);
+            var request = PrepareRequest("PATCH", $"/api/v1/todoItems/{wrongTodoItemId}", content);
+
+            // Act
+            var response = await client.SendAsync(request);
+
+            // Assert
+            Assert.Equal(HttpStatusCode.Conflict, response.StatusCode);
+
+            var body = await response.Content.ReadAsStringAsync();
+            var document = JsonConvert.DeserializeObject<ErrorDocument>(body);
+            Assert.Single(document.Errors);
+
+            var error = document.Errors.Single();
+            Assert.Equal(HttpStatusCode.Conflict, error.StatusCode);
+            Assert.Equal("Resource id mismatch between request body and endpoint URL.", error.Title);
+            Assert.Equal($"Expected resource id '{wrongTodoItemId}' in PATCH request body at endpoint 'http://localhost/api/v1/todoItems/{wrongTodoItemId}', instead of '{todoItem.Id}'.", error.Detail);
+        }
+
         [Fact]
         public async Task Respond_422_If_Broken_JSON_Payload()
         {
