How to prevent POST requests specifying ID

Question

How to prevent POST requests specifying ID

Closed this issue 6 years ago · 1 comments

I'm looking for some ideas on how to best prevent users POST requests specifying the ID parameter.

Scenario:
POST { Id: 99999999999, OtherFields: "FooBar" }

This sets the MySQL AUTO INCREMENT value to the max signed/unsigned integer value, essentially breaking any new inserts.

Can I get the HTTP method within onAfterDeserialize to prevent transactions using the Id field when creating record? Or should I be doing this in onBeforeWrite. Again how do I know if this is a new record or an update to the record?

Am I just doing it wrong. Is there another way to prevent fields being updated/created.

Answer 1 · 2018-04-17T02:44:42.000Z

I ended up using the following on my base DataObject class

    public function onAfterDeserialize(&$data)
    {
        $request = Controller::curr()->getRequest();
        if (($request->isPOST() || $request->isPUT()) && $data['ID']) {
            unset($data['ID']);
        }
    }