API accepts non-ObjectID id's when creating posts
See original GitHub issueIssue Summary
It’s possible to POST to the /posts/
endpoint including a numeric id
attribute which is successfully saved to the database. When later trying to edit that post the server raises a 422 ValidationError
with the message:
Saving failed: Validation (matches) failed for id
Steps to Reproduce
- Use Postman or similar to send a
POST /posts/
request with a numeric ID property in the post’s JSON - Open the new post in the admin area’s editor
- Attempt to save it
We should be ignoring (ideally) or at least validating ID attributes when creating posts via the API.
Technical details:
- Ghost Version: 1.11.0
Issue Analytics
- State:
- Created 6 years ago
- Comments:11 (8 by maintainers)
Top Results From Across the Web
HTTP REST API and Examples — Cordra documentation
The server will only accept POST and PUT requests for objects that conform to the schema corresponding to the object type; other requests...
Read more >How to construct a REST API that takes an array of id's for the ...
println("zrssIds = " + Ids); //Here you need to use String tokenizer to make the array from the string. } Call the service...
Read more >Designing APIs for humans: Object IDs - DEV Community
When designing your table, you want a system where your IDs are easy to generate, unique and human readable. The most simplistic approach...
Read more >REST api that accepts a list of IDS - Google Groups
Hi All,. I have a requirement where I need to implement a GET API with an array of IDs as input. since this...
Read more >Posts | REST API Handbook - WordPress Developer Resources
Schema The schema defines all the fields that exist within a post record. ... Create a Post ... object, The globally unique identifier...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
I would suggest that forbidding is better than ignoring. So better send an
400 Bad Request
(or 422) status back then silently drop the parameter.With JSON Schema validations landing in master for posts and tags Admin API endpoints,
id
fields are now stripped from the input and ignored during validation phase 👍