API allows changes to variants, segments, etc. when they are not on the given flag
vodzak opened this issue · 3 comments
Expected Behavior
When calling the API with a flag ID and a variant, segment, etc. that does not exist on that flag, an error is returned and no action is taken.
Expect response similar to the error response given when PUT /flags/{flagID}/segments/{segmentID}/distributions is called with a variant that is not on the flag. The error that's returned is "message": "status_code: 400. error finding variantID 1 under this flag. expecting [4 5]"
.
Current Behavior
Currently, the API allows changes to elements that do not exist on the specified flag and no response is returned.
Steps to Reproduce
API calls that don't return an error and the action is taken:
- DELETE /flags/{flagID}/variants/{variantID}
- where variantID is not on the flag
- DELETE /flags/{flagID}/segments/{segmentID}
- where segmentID is not on the flag
- DELETE /flags/{flagID}/segments/{segmentID}/constraints/{constraintID}
- where segmentID is on the flag, but constraintID is not
- where segmentID and the constraintID are not on the flag
- POST /flags/{flagID}/segments/{segmentID}/constraints
- where segmentID is not on the flag
- PUT /flags/{flagID}/segments/{segmentID}/distributions
- where segmentID is not on the flag, and variantID in body is not on the flag
Your Environment
- Version 1.1.12 hosted in Red Hat OpenShift.
Good catch!
We should definitely add a layer of validation to check if the flagID matches it children entities' IDs.
variantID, segmentID, and etc are global unique, that's probably why that check was skipped for now.
A validation check would be perfect!
One other thing that I forgot to mention in my original comment: API will allow variants to be deleted even if they're in use in a Flag's distribution.
calling DELETE /flags/{flagID}/variants/{variantID} where variantID is not on the flag would result in the variant being deleted, even if the variant was in use in a distribution on its flag.
Stale issue message