restheart icon indicating copy to clipboard operation
restheart copied to clipboard

Error on PATCH request using update operator expression when permission with mongo.mergeRequest applies

Open ujibang opened this issue 6 months ago • 0 comments

Describe the bug

PATCH requests allows the body to be an update operator expression or update aggregation pipeline. See https://restheart.org/docs/mongodb-rest/write-docs#mongodb-write-operations

When the request with operator expression is authorized by a permission specifying mongo.mergeRequest, the request fails.

To Reproduce

create test user and permission

$ http -a admin:secret :8080/users _id=test roles:='["test"]' password=secret
$ http -a admin:secret POST :8080/acl _id=testPermission roles:='["test"]' priority:=100 predicate="method(PATCH) and path-prefix('/test')" mongo.mergeRequest:='{ "author": "@user._id" }'

now try a PATCH on /test/doc with update operator expression; the request fails

$ http -a test:secret PUT :8080/test/doc a:=1  # create the doc
$ http -a test:secret PATCH :8080/test/doc "$set":='{"a": 2}'  # ===> this fails

ujibang avatar Feb 14 '24 10:02 ujibang