Fixed: fail on filtering to-many relationships (crashes later otherwise) (#752)

Bart Koelman · web-flow · commit 736c7108738b · 2020-05-15T11:29:38.000+02:00
Fixed: filters are not applied in GetById reauests
diff --git a/src/JsonApiDotNetCore/QueryParameterServices/FilterService.cs b/src/JsonApiDotNetCore/QueryParameterServices/FilterService.cs
@@ -63,6 +63,13 @@ private FilterQueryContext GetQueryContexts(FilterQuery query, string parameterN
             queryContext.Relationship = GetRelationship(parameterName, query.Relationship);
             var attribute = GetAttribute(parameterName, query.Attribute, queryContext.Relationship);
 
+            if (queryContext.Relationship is HasManyAttribute)
+            {
+                throw new InvalidQueryStringParameterException(parameterName,
+                    "Filtering on one-to-many and many-to-many relationships is currently not supported.",
+                    $"Filtering on the relationship '{queryContext.Relationship.PublicRelationshipName}.{attribute.PublicAttributeName}' is currently not supported.");
+            }
+
             if (!attribute.Capabilities.HasFlag(AttrCapabilities.AllowFilter))
             {
                 throw new InvalidQueryStringParameterException(parameterName, "Filtering on the requested attribute is not allowed.",
diff --git a/src/JsonApiDotNetCore/Services/DefaultResourceService.cs b/src/JsonApiDotNetCore/Services/DefaultResourceService.cs
@@ -143,8 +143,10 @@ public virtual async Task<TResource> GetAsync(TId id)
             _hookExecutor?.BeforeRead<TResource>(pipeline, id.ToString());
 
             var entityQuery = _repository.Get(id);
+            entityQuery = ApplyFilter(entityQuery);
             entityQuery = ApplyInclude(entityQuery);
             entityQuery = ApplySelect(entityQuery);
+
             var entity = await _repository.FirstOrDefaultAsync(entityQuery);
 
             if (entity == null)
diff --git a/test/JsonApiDotNetCoreExampleTests/Acceptance/Spec/AttributeFilterTests.cs b/test/JsonApiDotNetCoreExampleTests/Acceptance/Spec/AttributeFilterTests.cs
@@ -89,6 +89,52 @@ public async Task Can_Filter_On_Related_Attrs()
             list.Owner.FirstName = person.FirstName;
         }
 
+        [Fact]
+        public async Task Can_Filter_On_Related_Attrs_From_GetById()
+        {
+            // Arrange
+            var context = _fixture.GetService<AppDbContext>();
+            var person = _personFaker.Generate();
+            var todoItem = _todoItemFaker.Generate();
+            todoItem.Owner = person;
+            context.TodoItems.Add(todoItem);
+            await context.SaveChangesAsync();
+
+            var httpMethod = new HttpMethod("GET");
+            var route = $"/api/v1/todoItems/{todoItem.Id}?include=owner&filter[owner.firstName]=SOMETHING-ELSE";
+            var request = new HttpRequestMessage(httpMethod, route);
+
+            // Act
+            var response = await _fixture.Client.SendAsync(request);
+            var body = await response.Content.ReadAsStringAsync();
+
+            // Assert
+            Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
+        }
+
+        [Fact]
+        public async Task Cannot_Filter_On_Related_ToMany_Attrs()
+        {
+            // Arrange
+            var httpMethod = new HttpMethod("GET");
+            var route = "/api/v1/todoItems?include=childrenTodos&filter[childrenTodos.ordinal]=1";
+            var request = new HttpRequestMessage(httpMethod, route);
+
+            // Act
+            var response = await _fixture.Client.SendAsync(request);
+
+            // Assert
+            var body = await response.Content.ReadAsStringAsync();
+            Assert.Equal(HttpStatusCode.BadRequest, response.StatusCode);
+
+            var errorDocument = JsonConvert.DeserializeObject<ErrorDocument>(body);
+            Assert.Single(errorDocument.Errors);
+            Assert.Equal(HttpStatusCode.BadRequest, errorDocument.Errors[0].StatusCode);
+            Assert.Equal("Filtering on one-to-many and many-to-many relationships is currently not supported.", errorDocument.Errors[0].Title);
+            Assert.Equal("Filtering on the relationship 'childrenTodos.ordinal' is currently not supported.", errorDocument.Errors[0].Detail);
+            Assert.Equal("filter[childrenTodos.ordinal]", errorDocument.Errors[0].Source.Parameter);
+        }
+
         [Fact]
         public async Task Cannot_Filter_If_Explicitly_Forbidden()
         {
