Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

required readOnly fields are required in request body when they shouldn't be #1907

Open
sampoh0523 opened this issue Apr 4, 2024 · 2 comments · May be fixed by #1943
Open

required readOnly fields are required in request body when they shouldn't be #1907

sampoh0523 opened this issue Apr 4, 2024 · 2 comments · May be fixed by #1943
Labels
bug PR welcome We would welcome and review a PR addressing this issue

Comments

@sampoh0523
Copy link

sampoh0523 commented Apr 4, 2024
edited
Loading

Description

When an API object has a field that is required but has readOnly: true, a request containing an object without that field fails to validate.

OpenAPI spec says:

You can use the readOnly and writeOnly keywords to mark specific properties as read-only or write-only. This is useful, for example, when GET returns more properties than used in POST – you can use the same schema in both GET and POST and mark the extra properties as readOnly. readOnly properties are included in responses but not in requests, [...]

If a readOnly or writeOnly property is included in the required list, required affects just the relevant scope – responses only or requests only. That is, read-only required properties apply to responses only, [...]

This is a regression from Connexion 2.x.

Expected behaviour

Object validates successfully.

Actual behaviour

Object fails to validate, because it is missing a read-only field:

ERROR:connexion.validators.json:Validation error: 'objectId' is a required property
ERROR:connexion.middleware.exceptions:BadRequestProblem(status_code=400, detail="'objectId' is a required property")

Presumably Connexion 3.x fails to use jsonschema validation properly here.

Steps to reproduce

  1. Use the openapi.yaml and testcontroller.py from below
  2. Start with connexion run openapi.yaml --stub
  3. Attempt to do the following request: PUT .../objects/45d2847a-ed55-440a-bfa7-5e759d0d671f, with body
{
    "name": "abc"
}

Minimal example:

openapi.yaml

openapi: 3.0.3
info:
  title: test
  version: '1.0'
paths:
  '/objects/{objectId}':
    parameters:
      - schema:
          type: string
          format: uuid
        name: objectId
        in: path
        required: true
    put:
      summary: Create or update object
      operationId: object_put
      x-openapi-router-controller: testcontroller
      responses:
        '200':
          description: OK - Object updated
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Object'
      requestBody:
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/Object'
components:
  schemas:
    Object:
      title: BaseObject
      type: object
      properties:
        objectId:
          type: string
          format: uuid
          readOnly: true
        name:
          type: string
      required:
      - objectId
      - name

testcontroller.py

from connexion import FlaskApp, request

app = FlaskApp(__name__)


def object_put(objectId, body):
    return {"objectId": objectId, **body}


app.add_api("openapi.yaml")

Additional info:

Output of the commands:

  • python --version
    • Python 3.11.3
  • pip show connexion | grep "^Version\:"
    • Version: 3.0.6
@sampoh0523 sampoh0523 changed the title readOnly and required fields are required in body when they shouldn't be readOnly and required fields are required in request body when they shouldn't be Apr 4, 2024
@sampoh0523 sampoh0523 changed the title readOnly and required fields are required in request body when they shouldn't be required readOnly fields are required in request body when they shouldn't be Apr 4, 2024
@RobbeSneyders
Copy link
Member

Thanks for the report @sampoh0523.

Seems like we need to reinclude this validator. Do you mind submitting a PR for this?

@RobbeSneyders RobbeSneyders added bug PR welcome We would welcome and review a PR addressing this issue labels Apr 15, 2024
@whoseoyster whoseoyster linked a pull request Jun 26, 2024 that will close this issue
Open
@whoseoyster
Copy link

@RobbeSneyders I'm surprised people are able to use connexion 3 without this working correctly. Opened a PR to fix this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug PR welcome We would welcome and review a PR addressing this issue
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Validate required fields based on readOnly & writeOnly whoseoyster/connexion
3 participants
@whoseoyster @RobbeSneyders @sampoh0523