updateAll should honour strict mode

[bajtos]

Bug/Feature request

See #742 (comment)

When user makes a POST /update request (calls updateAll in node API terms), the backend will happily persist (yes, actually persist, not just a wrong in-memory representation) random properties to MongoDB through an updateAll even though strict mode is enabled for the model.

Expected result

updateAll honours strict mode and rejects request with extra properties not described by the model.

Additional information

The scope of this issue is to fix strict mode only. Enforcing all property validations is covered by loopbackio/loopback-datasource-juggler#771.

[fabien]

@bajtos will this be backported to v.2?

[bajtos]

will this be backported to v.2?

Should it be? I labelled this issue as a feature (semver-minor), which means it won't be backported.

What's your opinion?

[fabien]

I'd prefer to see it backported, because to me it doesn't appear like a feature. The semantics of strict were a far cry from actually being strict up until now, if you know what I mean.

An option like that (with a name that implies a serious restriction) should behave as expected at all times, to avoid the issues (even security related) mentioned, wouldn't you agree?

[stale]

This issue has been closed due to continued inactivity. Thank you for your understanding. If you believe this to be in error, please contact one of the code owners, listed in the CODEOWNERS file at the top-level of this repository.