Ghost: API accepts non-ObjectID id's when creating posts

Created on 4 Oct 2017 · 11Comments · Source: TryGhost/Ghost

Issue Summary

It's possible to POST to the /posts/ endpoint including a numeric id attribute which is successfully saved to the database. When later trying to edit that post the server raises a 422 ValidationError with the message:

Saving failed: Validation (matches) failed for id

Steps to Reproduce

Use Postman or similar to send a POST /posts/ request with a numeric ID property in the post's JSON
Open the new post in the admin area's editor
Attempt to save it

We should be ignoring (ideally) or at least validating ID attributes when creating posts via the API.

Technical details:

Ghost Version: 1.11.0

api bug server / core

Source

kevinansfield

Most helpful comment

I would suggest that forbidding is better than ignoring. So better send an 400 Bad Request (or 422) status back then silently drop the parameter.

mdornseif on 4 Oct 2017

👍3

All 11 comments

I would suggest that forbidding is better than ignoring. So better send an 400 Bad Request (or 422) status back then silently drop the parameter.

mdornseif on 4 Oct 2017

👍3

PR is welcome 😬

kirrg001 on 5 Oct 2017

I'm looking into this one 😄

acburdine on 7 Oct 2017

I'll take that over for the next week.

kirrg001 on 8 Nov 2017

This needs discussion first: https://github.com/TryGhost/Ghost/pull/9112#discussion_r143395136

kirrg001 on 5 Dec 2017

I didn't want to open a whole new issue for something that's most likely related, so I'll post this here.

I was creating tags via the API this morning, and specifying a custom ID in the request body like this:

{ "tags" : [{ "id": "willthiswork", "name": "maybe", "slug": "aslug" }] }

When I do a GET via the API to get the tag, I can see that the ID is still "willthiswork".

But when I do a DELETE via the API (or try to delete the tag in the Ghost admin area), I get the same error reported above.

The admin area shows an orange bar with _"Validation (matches) failed for id"_.

Postman displays:

{
    "errors": [
        {
            "message": "Validation (matches) failed for id",
            "errorType": "ValidationError"
        }
    ]
}

grantwinney on 17 Feb 2018

@grantwinney Thanks. Yeah this issue is about missing validations. It shouldn't be allowed to set custom identifiers via the API, except there is a very good reason allowing this.

Happy about any help 👍

kirrg001 on 17 Feb 2018

With JSON Schema validations landing in master for posts and tags Admin API endpoints, id fields are now stripped from the input and ignored during validation phase :+1:

naz on 13 Feb 2019

🎉1

I have same sort of trouble when i'm trying to edit manually created user.

Id of the user should be fine, but seems that ghost is having some problems with that.

I couldn't find any code describing, what user id should be. Or any validation code.
Mine version of ghost is coming from bitnami docker image

sliterok on 7 Apr 2019

Hey @sliterok. The only numerical id that is supported in Ghost is 1 and is reserved for internal usages. All other id fields are generated, unique bson object ids https://github.com/TryGhost/Ghost/blob/e109c54/core/server/models/base/index.js#L630. Ideally you should not be editing these manually in the database :smiley:

naz on 8 Apr 2019

Hey @naz ,

How to use BSON Object to create ID for users?