Serializer: POST nested object without permission fails quietly
This is a low priority bug
The following unit test passes:
# I am attempting to add a resource which I should not know exists
parent = LDPDummy.objects.create(some='parent')
data = {
'anons': [
{'@id': 'https://external.com/permissionless-dummys/1/'}
]
}
response = self.client.patch('/ldpdummys/{}/'.format(parent.pk), data=json.dumps(data),
content_type='application/ld+json')
self.assertEqual(response.status_code, 200)
self.assertEqual(len(response.data['anons']['ldp:contains']), 0)
parent = LDPDummy.objects.get(pk=parent.pk)
self.assertEqual(parent.anons.count(), 0)
The serializer rejects my permission to update the nested resource correctly. It is not failing totally silently, because it does not pretend to have created the resource in the response. It should possibly be failing more loudly, returning a 403 or 400
In PUT/PATCH there is an added security consideration (#329 (closed) ):
If I have the model permission
add
, then I can deduce from this request that thepermissionless-dummy
which I attempted to change exists, which is a minor security vulnerability as I do not have permission to know that this exists