Critical correctness issue: action model binding is inside out and backward

[kjkrum]

This is an intentional duplicate of #619. I wonder if that issue lost visibility because of the way it went down a rabbit hole. The underlying problem was hashed out in comments and the original title was edited to reflect the increased severity after the issue was assigned and apparently forgotten.

The problem is in ODataActionPayloadDeserializer. It iterates over the properties that are found in the payload and looks up the corresponding IEdmOperationParameter. This is backward. It should iterate over IEdmOperation.Parameters and look for each one in the payload.

The inside-out iteration causes two problems: required parameters are not required, and unrecognized parameters incorrectly cause binding to fail because of the assertion on line 87.

Note that there's no "is optional" in IEdmOperationParameter`. Optional parameters implement IEdmOptionalParameter. That interface includes what the default value should be if an optional parameter is not present in the payload.

[gathogojr]

Thank you @kjkrum for reporting this issue. Our apologies it lost visibility when you reported it previously. Please find the a link to how we process parameters in the an Edm action payload http://docs.oasis-open.org/odata/odata/v4.01/odata-v4.01-part1-protocol.html#sec_InvokinganAction

[kjkrum]

@gathogojr That's how it's supposed to work, not how it actually works. I cited that exact section of the spec in the comments on the original bug report.

ODataActionPayloadDeserializer iterating over the wrong thing makes it fundamentally impossible to implement the spec. Currently, it's iterating over the properties that are present in the payload. If a required property is missing, it never examines the model to determine that the property is required. It needs to iterate over the properties of the model and find them in the payload.