search

google / jsonapi

jsonapi.org style payload serializer and deserializer
http://godoc.org/github.com/google/jsonapi
MIT License
1.42k stars 211 forks source link

Type validation on post is skipped #176

Closed noboevbo closed 3 years ago

noboevbo commented 5 years ago

When posting a new object the validation of the JSON API Type is skipped. Thus with a object like this:

type Test struct {
    ID          int       `jsonapi:"primary,tests"`
    Name        string    `jsonapi:"attr,name"`
}

it is possible to unmarshal the following content without an error:

{
    "data": {
        "type": "NOTtests",
        "attributes": {
            "name": "test2"
        }
    }
}

The JSON:API specifies the following:

A server MUST return 409 Conflict when processing a POST request in which the resource object’s type is not among the type(s) that constitute the collection represented by the endpoint.

With reference to the specification an error must be returned in such a case. I think it should be enough to just move the following snippet (from request.go line 177) below the type check: 

if data.ID == "" {
    continue
}

Since I'm not deep enough in the matter yet, I wanted to ask if you can see any side effects here.