budowski
Doing a POST with an already existing id will overwrite the old instance
Allowing string ids to be POSTed introduced a bug / security hole. When POSTing a new instance, or multiple instances, the id is accepted as is, and is posted over top of the old instance. Since nothing is ever fetched during a post, and that is also when the owner is set, the resulting instance becomes owned by whoever POSTed to it last.
It looks like the only way to safely post with a user-provided id is to first attempt to fetch all objects by id, and reject the request if any of them already exist.
This issue was caused by #11, and still exists in #15. It was noticed while testing a new permissions system (#16).
I can get the fix in with #16, or I can fix it separately. The fix will need to be redone for #16 anyway though.
The fix (when applied after merging #15) is just doing this before performing the put_multi:
# Attempt to fetch the models from the datastore to ensure that they don't already exist
keys = [m.key for m in models]
if any(ndb.get_multi(keys)):
raise RESTException('Cannot POST to an existing model ID')