Merge pull request #707 from cerebris/id_respect_creatable

lgebhardt · lgebhardt · commit 31c13c00213a · 2016-05-24T17:10:20.000-04:00
Make id respect creatable_fields
diff --git a/lib/jsonapi/request_parser.rb b/lib/jsonapi/request_parser.rb
@@ -537,7 +537,14 @@ def verify_permitted_params(params, allowed_fields)
               end
             end
           end
-        when 'type', 'id'
+        when 'type'
+        when 'id'
+          unless formatted_allowed_fields.include?(:id)
+            params_not_allowed.push(:id)
+            unless JSONAPI.configuration.raise_if_parameters_not_allowed
+              params.delete :id
+            end
+          end
         else
           params_not_allowed.push(key)
         end
diff --git a/test/controllers/controller_test.rb b/test/controllers/controller_test.rb
@@ -511,6 +511,28 @@ def test_create_simple
     assert_equal json_response['data']['links']['self'], response.location
   end
 
+  def test_create_simple_id_not_allowed
+    set_content_type_header!
+    post :create, params:
+      {
+        data: {
+          type: 'posts',
+          id: 'asdfg',
+          attributes: {
+            title: 'JR is Great',
+            body: 'JSONAPIResources is the greatest thing since unsliced bread.'
+          },
+          relationships: {
+            author: {data: {type: 'people', id: '3'}}
+          }
+        }
+      }
+
+    assert_response :bad_request
+    assert_match /id is not allowed/, response.body
+    assert_equal nil,response.location
+  end
+
   def test_create_link_to_missing_object
     set_content_type_header!
     post :create, params:
@@ -563,6 +585,7 @@ def test_create_extra_param_allow_extra_params
       {
         data: {
           type: 'posts',
+          id: 'my_id',
           attributes: {
             asdfg: 'aaaa',
             title: 'JR is Great',
@@ -581,10 +604,13 @@ def test_create_extra_param_allow_extra_params
     assert_equal 'JR is Great', json_response['data']['attributes']['title']
     assert_equal 'JSONAPIResources is the greatest thing since unsliced bread.', json_response['data']['attributes']['body']
 
-    assert_equal 1, json_response['meta']["warnings"].count
+    assert_equal 2, json_response['meta']["warnings"].count
     assert_equal "Param not allowed", json_response['meta']["warnings"][0]["title"]
-    assert_equal "asdfg is not allowed.", json_response['meta']["warnings"][0]["detail"]
+    assert_equal "id is not allowed.", json_response['meta']["warnings"][0]["detail"]
     assert_equal '105', json_response['meta']["warnings"][0]["code"]
+    assert_equal "Param not allowed", json_response['meta']["warnings"][1]["title"]
+    assert_equal "asdfg is not allowed.", json_response['meta']["warnings"][1]["detail"]
+    assert_equal '105', json_response['meta']["warnings"][1]["code"]
     assert_equal json_response['data']['links']['self'], response.location
   ensure
     JSONAPI.configuration.raise_if_parameters_not_allowed = true
diff --git a/test/fixtures/active_record.rb b/test/fixtures/active_record.rb
@@ -959,7 +959,7 @@ def self.updatable_fields(context)
   end
 
   def self.creatable_fields(context)
-    super(context) - [:subject]
+    super(context) - [:subject, :id]
   end
 
   def self.sortable_fields(context)
