Open mstniy opened 3 years ago
Thanks for reporting!
I label this as needs more info
until the test in the PR ails and confirms that this does not work.
I changed to title to be specific about adding a new object key. If I understand correctly, modifying an existing key does not require "add field" permission.
If I understand correctly, modifying an existing key does not require "add field" permission.
It indeed does, if one tries to modify a key of a nested document.
So the issue occurs when modifying an existing key and when adding a new key?
When modifying a nested object, no matter whether you are introducing a new key to the nested object or modifying a key that already exists.
Thanks for clarifying, so I commented on your PR to include tests for both scenarios.
New Issue Checklist
Issue Description
Using
PUT
to modify a nested document fails unless the caller has addField permissions, even if the request doesn't add a new field.Steps to reproduce
PUSH
to create this object:{ "a": {"b":1}}
PUT
to change the 1 to a 2 :{"a.b": 4}
Actual Outcome
The first
PUT
request should succeed, even without the addField permission, because it does not add a new field.Expected Outcome
It fails due to a lack of addField permission.
Failing Test Case / Pull Request
Environment
Server
94b7b32
, a commit from 19/04/2021Ubuntu 20.04
local
Database
MongoDB
4.4.5
local
Client
any
any
Logs