Fixed: Do not allow the use of 'lid' when client-generated IDs are required

bkoelman · bkoelman · commit 73029067bad3 · 2024-06-30T13:57:15.000+02:00
diff --git a/src/JsonApiDotNetCore/Serialization/Request/Adapters/AtomicOperationObjectAdapter.cs b/src/JsonApiDotNetCore/Serialization/Request/Adapters/AtomicOperationObjectAdapter.cs
@@ -125,7 +125,9 @@ private ResourceIdentityRequirements CreateRefRequirements(RequestAdapterState s
         return new ResourceIdentityRequirements
         {
             EvaluateIdConstraint = resourceType =>
-                ResourceIdentityRequirements.DoEvaluateIdConstraint(resourceType, state.Request.WriteOperation, _options.ClientIdGeneration)
+                ResourceIdentityRequirements.DoEvaluateIdConstraint(resourceType, state.Request.WriteOperation, _options.ClientIdGeneration),
+            EvaluateAllowLid = resourceType =>
+                ResourceIdentityRequirements.DoEvaluateAllowLid(resourceType, state.Request.WriteOperation, _options.ClientIdGeneration)
         };
     }
 
@@ -135,6 +137,7 @@ private static ResourceIdentityRequirements CreateDataRequirements(AtomicReferen
         {
             ResourceType = refResult.ResourceType,
             EvaluateIdConstraint = refRequirements.EvaluateIdConstraint,
+            EvaluateAllowLid = refRequirements.EvaluateAllowLid,
             IdValue = refResult.Resource.StringId,
             LidValue = refResult.Resource.LocalId,
             RelationshipName = refResult.Relationship?.PublicName
diff --git a/src/JsonApiDotNetCore/Serialization/Request/Adapters/RelationshipDataAdapter.cs b/src/JsonApiDotNetCore/Serialization/Request/Adapters/RelationshipDataAdapter.cs
@@ -1,4 +1,5 @@
 using System.Collections;
+using JsonApiDotNetCore.Middleware;
 using JsonApiDotNetCore.Resources;
 using JsonApiDotNetCore.Resources.Annotations;
 using JsonApiDotNetCore.Serialization.Objects;
@@ -71,6 +72,7 @@ private static SingleOrManyData<ResourceIdentifierObject> ToIdentifierData(Singl
         {
             ResourceType = relationship.RightType,
             EvaluateIdConstraint = _ => JsonElementConstraint.Required,
+            EvaluateAllowLid = _ => state.Request.Kind == EndpointKind.AtomicOperations,
             RelationshipName = relationship.PublicName
         };
 
diff --git a/src/JsonApiDotNetCore/Serialization/Request/Adapters/ResourceIdentityAdapter.cs b/src/JsonApiDotNetCore/Serialization/Request/Adapters/ResourceIdentityAdapter.cs
@@ -96,18 +96,20 @@ private static void AssertIsCompatibleResourceType(ResourceType actual, Resource
     private IIdentifiable CreateResource(ResourceIdentity identity, ResourceIdentityRequirements requirements, ResourceType resourceType,
         RequestAdapterState state)
     {
-        if (state.Request.Kind != EndpointKind.AtomicOperations)
+        AssertNoIdWithLid(identity, state);
+
+        bool allowLid = requirements.EvaluateAllowLid?.Invoke(resourceType) ?? false;
+
+        if (!allowLid)
         {
             AssertHasNoLid(identity, state);
         }
 
-        AssertNoIdWithLid(identity, state);
-
         JsonElementConstraint? idConstraint = requirements.EvaluateIdConstraint?.Invoke(resourceType);
 
         if (idConstraint == JsonElementConstraint.Required)
         {
-            AssertHasIdOrLid(identity, requirements, state);
+            AssertHasIdOrLid(identity, requirements, allowLid, state);
         }
         else if (idConstraint == JsonElementConstraint.Forbidden)
         {
@@ -128,7 +130,10 @@ private static void AssertHasNoLid(ResourceIdentity identity, RequestAdapterStat
         if (identity.Lid != null)
         {
             using IDisposable _ = state.Position.PushElement("lid");
-            throw new ModelConversionException(state.Position, "The 'lid' element is not supported at this endpoint.", null);
+
+            throw state.Request.Kind == EndpointKind.AtomicOperations
+                ? new ModelConversionException(state.Position, "The 'lid' element cannot be used because a client-generated ID is required.", null)
+                : new ModelConversionException(state.Position, "The 'lid' element is not supported at this endpoint.", null);
         }
     }
 
@@ -140,7 +145,7 @@ private static void AssertNoIdWithLid(ResourceIdentity identity, RequestAdapterS
         }
     }
 
-    private static void AssertHasIdOrLid(ResourceIdentity identity, ResourceIdentityRequirements requirements, RequestAdapterState state)
+    private static void AssertHasIdOrLid(ResourceIdentity identity, ResourceIdentityRequirements requirements, bool allowLid, RequestAdapterState state)
     {
         string? message = null;
 
@@ -154,7 +159,7 @@ private static void AssertHasIdOrLid(ResourceIdentity identity, ResourceIdentity
         }
         else if (identity.Id == null && identity.Lid == null)
         {
-            message = state.Request.Kind == EndpointKind.AtomicOperations ? "The 'id' or 'lid' element is required." : "The 'id' element is required.";
+            message = allowLid ? "The 'id' or 'lid' element is required." : "The 'id' element is required.";
         }
 
         if (message != null)
diff --git a/src/JsonApiDotNetCore/Serialization/Request/Adapters/ResourceIdentityRequirements.cs b/src/JsonApiDotNetCore/Serialization/Request/Adapters/ResourceIdentityRequirements.cs
@@ -21,6 +21,11 @@ public sealed class ResourceIdentityRequirements
     /// </summary>
     public Func<ResourceType, JsonElementConstraint?>? EvaluateIdConstraint { get; init; }
 
+    /// <summary>
+    /// When not null, provides a callback to indicate whether the "lid" element can be used instead of the "id" element. Defaults to <c>false</c>.
+    /// </summary>
+    public Func<ResourceType, bool>? EvaluateAllowLid { get; init; }
+
     /// <summary>
     /// When not null, indicates what the value of the "id" element must be.
     /// </summary>
@@ -50,4 +55,15 @@ public sealed class ResourceIdentityRequirements
             }
             : JsonElementConstraint.Required;
     }
+
+    internal static bool DoEvaluateAllowLid(ResourceType resourceType, WriteOperationKind? writeOperation, ClientIdGenerationMode globalClientIdGeneration)
+    {
+        if (writeOperation == null)
+        {
+            return false;
+        }
+
+        ClientIdGenerationMode clientIdGeneration = resourceType.ClientIdGeneration ?? globalClientIdGeneration;
+        return !(writeOperation == WriteOperationKind.CreateResource && clientIdGeneration == ClientIdGenerationMode.Required);
+    }
 }
diff --git a/test/JsonApiDotNetCoreTests/IntegrationTests/AtomicOperations/Creating/AtomicCreateResourceWithClientGeneratedIdTests.cs b/test/JsonApiDotNetCoreTests/IntegrationTests/AtomicOperations/Creating/AtomicCreateResourceWithClientGeneratedIdTests.cs
@@ -175,7 +175,7 @@ public async Task Cannot_create_resource_for_missing_client_generated_ID()
 
         ErrorObject error = responseDocument.Errors[0];
         error.StatusCode.Should().Be(HttpStatusCode.UnprocessableEntity);
-        error.Title.Should().Be("Failed to deserialize request body: The 'id' or 'lid' element is required.");
+        error.Title.Should().Be("Failed to deserialize request body: The 'id' element is required.");
         error.Detail.Should().BeNull();
         error.Source.ShouldNotBeNull();
         error.Source.Pointer.Should().Be("/atomic:operations[0]/data");
@@ -281,6 +281,45 @@ public async Task Cannot_create_resource_for_incompatible_ID()
         error.Meta.ShouldContainKey("requestBody").With(value => value.ShouldNotBeNull().ToString().ShouldNotBeEmpty());
     }
 
+    [Fact]
+    public async Task Cannot_create_resource_with_local_ID()
+    {
+        // Arrange
+        var requestBody = new
+        {
+            atomic__operations = new[]
+            {
+                new
+                {
+                    op = "add",
+                    data = new
+                    {
+                        type = "textLanguages",
+                        lid = "new-server-id"
+                    }
+                }
+            }
+        };
+
+        const string route = "/operations";
+
+        // Act
+        (HttpResponseMessage httpResponse, Document responseDocument) = await _testContext.ExecutePostAtomicAsync<Document>(route, requestBody);
+
+        // Assert
+        httpResponse.ShouldHaveStatusCode(HttpStatusCode.UnprocessableEntity);
+
+        responseDocument.Errors.ShouldHaveCount(1);
+
+        ErrorObject error = responseDocument.Errors[0];
+        error.StatusCode.Should().Be(HttpStatusCode.UnprocessableEntity);
+        error.Title.Should().Be("Failed to deserialize request body: The 'lid' element cannot be used because a client-generated ID is required.");
+        error.Detail.Should().BeNull();
+        error.Source.ShouldNotBeNull();
+        error.Source.Pointer.Should().Be("/atomic:operations[0]/data/lid");
+        error.Meta.ShouldContainKey("requestBody").With(value => value.ShouldNotBeNull().ToString().ShouldNotBeEmpty());
+    }
+
     [Fact]
     public async Task Cannot_create_resource_for_ID_and_local_ID()
     {

Original file line number	Diff line number	Diff line change
`@@ -125,7 +125,9 @@ private ResourceIdentityRequirements CreateRefRequirements(RequestAdapterState s`
`125`	`125`	`return new ResourceIdentityRequirements`
`126`	`126`	`{`
`127`	`127`	`EvaluateIdConstraint = resourceType =>`
`128`		`- ResourceIdentityRequirements.DoEvaluateIdConstraint(resourceType, state.Request.WriteOperation, _options.ClientIdGeneration)`
	`128`	`+ ResourceIdentityRequirements.DoEvaluateIdConstraint(resourceType, state.Request.WriteOperation, _options.ClientIdGeneration),`
	`129`	`+ EvaluateAllowLid = resourceType =>`
	`130`	`+ ResourceIdentityRequirements.DoEvaluateAllowLid(resourceType, state.Request.WriteOperation, _options.ClientIdGeneration)`
`129`	`131`	`};`
`130`	`132`	`}`
`131`	`133`
`@@ -135,6 +137,7 @@ private static ResourceIdentityRequirements CreateDataRequirements(AtomicReferen`
`135`	`137`	`{`
`136`	`138`	`ResourceType = refResult.ResourceType,`
`137`	`139`	`EvaluateIdConstraint = refRequirements.EvaluateIdConstraint,`
	`140`	`+ EvaluateAllowLid = refRequirements.EvaluateAllowLid,`
`138`	`141`	`IdValue = refResult.Resource.StringId,`
`139`	`142`	`LidValue = refResult.Resource.LocalId,`
`140`	`143`	`RelationshipName = refResult.Relationship?.PublicName`
Original file line number	Diff line number	Diff line change
`@@ -96,18 +96,20 @@ private static void AssertIsCompatibleResourceType(ResourceType actual, Resource`
`96`	`96`	`private IIdentifiable CreateResource(ResourceIdentity identity, ResourceIdentityRequirements requirements, ResourceType resourceType,`
`97`	`97`	`RequestAdapterState state)`
`98`	`98`	`{`
`99`		`- if (state.Request.Kind != EndpointKind.AtomicOperations)`
	`99`	`+ AssertNoIdWithLid(identity, state);`
	`100`	`+`
	`101`	`+ bool allowLid = requirements.EvaluateAllowLid?.Invoke(resourceType) ?? false;`
	`102`	`+`
	`103`	`+ if (!allowLid)`
`100`	`104`	`{`
`101`	`105`	`AssertHasNoLid(identity, state);`
`102`	`106`	`}`
`103`	`107`
`104`		`- AssertNoIdWithLid(identity, state);`
`105`		`-`
`106`	`108`	`JsonElementConstraint? idConstraint = requirements.EvaluateIdConstraint?.Invoke(resourceType);`
`107`	`109`
`108`	`110`	`if (idConstraint == JsonElementConstraint.Required)`
`109`	`111`	`{`
`110`		`- AssertHasIdOrLid(identity, requirements, state);`
	`112`	`+ AssertHasIdOrLid(identity, requirements, allowLid, state);`
`111`	`113`	`}`
`112`	`114`	`else if (idConstraint == JsonElementConstraint.Forbidden)`
`113`	`115`	`{`
`@@ -128,7 +130,10 @@ private static void AssertHasNoLid(ResourceIdentity identity, RequestAdapterStat`
`128`	`130`	`if (identity.Lid != null)`
`129`	`131`	`{`
`130`	`132`	`using IDisposable _ = state.Position.PushElement("lid");`
`131`		`- throw new ModelConversionException(state.Position, "The 'lid' element is not supported at this endpoint.", null);`
	`133`	`+`
	`134`	`+ throw state.Request.Kind == EndpointKind.AtomicOperations`
	`135`	`+ ? new ModelConversionException(state.Position, "The 'lid' element cannot be used because a client-generated ID is required.", null)`
	`136`	`+ : new ModelConversionException(state.Position, "The 'lid' element is not supported at this endpoint.", null);`
`132`	`137`	`}`
`133`	`138`	`}`
`134`	`139`
`@@ -140,7 +145,7 @@ private static void AssertNoIdWithLid(ResourceIdentity identity, RequestAdapterS`
`140`	`145`	`}`
`141`	`146`	`}`
`142`	`147`
`143`		`- private static void AssertHasIdOrLid(ResourceIdentity identity, ResourceIdentityRequirements requirements, RequestAdapterState state)`
	`148`	`+ private static void AssertHasIdOrLid(ResourceIdentity identity, ResourceIdentityRequirements requirements, bool allowLid, RequestAdapterState state)`
`144`	`149`	`{`
`145`	`150`	`string? message = null;`
`146`	`151`
`@@ -154,7 +159,7 @@ private static void AssertHasIdOrLid(ResourceIdentity identity, ResourceIdentity`
`154`	`159`	`}`
`155`	`160`	`else if (identity.Id == null && identity.Lid == null)`
`156`	`161`	`{`
`157`		`- message = state.Request.Kind == EndpointKind.AtomicOperations ? "The 'id' or 'lid' element is required." : "The 'id' element is required.";`
	`162`	`+ message = allowLid ? "The 'id' or 'lid' element is required." : "The 'id' element is required.";`
`158`	`163`	`}`
`159`	`164`
`160`	`165`	`if (message != null)`