Restrict modification of fields that should not be modifiable with API

[AryanshSourcefuse]

Is your feature request related to a problem? Please describe. If we create a model with ARC's UserModifiableEntitiy or BaseEntity. I am able to update fields/columns which should not be updated from API. Example: createdOn, createdBy, modifiedOn, modifiedBy, deletedOn, deletedBy

Right now, there's no safe guard for modification, if I make an API call with the above fields in request body, then those are getting updated in DB. So, any authenticated user can write any data on above fields like different user ids in createdBy, modifiedBy, deletedBy or different time(even past date/time) in createdOn, modifiedOn and deletedOn

Describe the solution you'd like Fields like createdOn, createdBy, modifiedOn, modifiedBy, deletedOn, deletedBy should be calculated on backend and it's value should not be taken from API's request body.

Additional context Sandbox Repo: https://github.com/AryanshSourcefuse/sandbox-sourceloop Here I created just a todo service and a todo model, then I called the POST /todos API to create a todo with some random data

// Request body, notice dates are in past and in place of userIds I have added Random User
{
  "deleted": true,
  "deletedOn": "2022-05-12T16:35:01.141Z",
  "deletedBy": "Random User",
  "createdOn": "2022-05-12T16:35:01.141Z",
  "modifiedOn": "2022-05-12T16:35:01.141Z",
  "createdBy": "Random User",
  "modifiedBy": "Random User",
  "title": "Hi"
}

Once I made the API request, entry was made in the database(Refer below Screenshot)

[samarpan-b]

@AryanshSourcefuse are you using UserModifiableRepository as base class for your repository ? If not, then you need to do that. I can see in your sandbox example, that you have not used the repo I mentioned. You need to use that for restrictions. Its mentioned in readme as well. Its similar to how softdelete works. Please fix the repository base class and then check.

[AryanshSourcefuse]

Sorry, I was not able to find that in docs.