Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

API accepts non-ObjectID id's when creating posts

See original GitHub issue

Issue Summary

It’s possible to POST to the /posts/ endpoint including a numeric id attribute which is successfully saved to the database. When later trying to edit that post the server raises a 422 ValidationError with the message:

Saving failed: Validation (matches) failed for id

Steps to Reproduce

Use Postman or similar to send a POST /posts/ request with a numeric ID property in the post’s JSON
Open the new post in the admin area’s editor
Attempt to save it

We should be ignoring (ideally) or at least validating ID attributes when creating posts via the API.

Technical details:

Ghost Version: 1.11.0

Issue Analytics

State:
Created 6 years ago
Comments:11 (8 by maintainers)

Top GitHub Comments

3reactions

mdornseifcommented, Oct 4, 2017

I would suggest that forbidding is better than ignoring. So better send an 400 Bad Request (or 422) status back then silently drop the parameter.

1reaction

nazcommented, Feb 13, 2019

With JSON Schema validations landing in master for posts and tags Admin API endpoints, id fields are now stripped from the input and ignored during validation phase 👍