Our product is using the @request.restful() decorator to specify REST endpoints for our resources. During testing, I noticed that I can specify a PUT request var of "id=x" where x is some new id and the id of that row will change to x. This is even WITH "db.table.id.writable = False."
The PUT method is defined as follows:
def PUT(table_name, record_id, **vars):
return db(db[table_name]._id==record_id).validate_and_update(**vars)
This seems like a relatively major problem... if a user were to be clever enough to play around with our UI and figure out the REST calls being made, he/she could potentially mess with all the ids and relationships of the resources, at least for that particular account (and any other resources we've exposed).
Am I missing something? Does "db.person.id.writable = False" only apply to SQLFORMs? Is there some other way to prevent modification of the id field?
Thanks ahead of time for any help.