Uploaded image for project: 'OASIS Open Data Protocol (OData) TC'
  1. OASIS Open Data Protocol (OData) TC
  2. ODATA-941

Attempting to modify a property with read-only permissions should fail

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: V4.0_ERRATA03
    • Fix Version/s: V4.01_WD01
    • Component/s: Protocol
    • Labels:
      None
    • Environment:

      [Proposed]

    • Proposal:
      Hide

      Clarify that "non-updatable" in 11.4.3, Update an Entity, means "marked as computed or read-only in metadata".

      Specify that services should error if an insert or update contains an updatable property that cannot be changed by this user at this time (i.e., given the current state of the object, or for which the user doesn't have permission to update), and the value of the property does not match the value specified by the user. In this case, the service MAY return an error even if the property does match the value specified by the user.

      As a result, clients should use PATCH and only specify the properties that they want to change.

      Updating a specific property (identified as the target of the update URL) should fail if the property is not updatable.

      Show
      Clarify that "non-updatable" in 11.4.3, Update an Entity, means "marked as computed or read-only in metadata". Specify that services should error if an insert or update contains an updatable property that cannot be changed by this user at this time (i.e., given the current state of the object, or for which the user doesn't have permission to update), and the value of the property does not match the value specified by the user. In this case, the service MAY return an error even if the property does match the value specified by the user. As a result, clients should use PATCH and only specify the properties that they want to change. Updating a specific property (identified as the target of the update URL) should fail if the property is not updatable.
    • Resolution:
      Show
      https://www.oasis-open.org/apps/org/workgroup/odata/download.php/59028/odata-v4.01-wd01-part1-protocol.docx

      Description

      Currently, in 11.4.3, Update an Entity, we say that "Key and other non-updatable properties, as well as dependent properties that are not tied to key properties of the principal entity, can be omitted from the request. If the request contains a value for one of these properties, the service MUST ignore that value when applying the update."

      We don't explicitly say how to handle properties that are read-write, but for which the user doesn't have permissions. Are they considered "non-updatable" or are they considered updatable properties for which the user lacks the permission to update?

      The reason that we say read-only properties in the payload are ignored is so that a client can take what they read and write it back without having to remove certain properties. For the general case, we didn't want to burden (and slow) the service by requiring it to do a validity check on the read-only properties (type, id, etc.), and we wanted to be able to "copy" an entity by reading it and then doing a POST and having the id ignored.

      However, for cases where the user doesn't have permission to write a property it's probably wrong to return success if the final state of the property doesn't match the request. We still want the user to be able to PUT/PATCH the value they have read, without having to edit out certain values, but in this case we should probably raise an exception if the current value of the property was not the value specified by the user.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              mikep Michael Pizzo (Inactive)
            • Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: