I'm trying to create some default values for some field inside entity.
This is my Entity:
@Entity
@AllArgsConstructor
@NoArgsConstructor
@Data
@Table(name="users")
public class User extends BaseEntity{
@Column(name="email")
private String email;
@Column(name="password")
private String password;
@Column(name="tokens", insertable = false)
@ElementCollection(targetClass=String.class)
private List<String> tokens;
@Column(name="firstName")
private String firstName;
@Column(name="lastName")
private String lastName;
@Column(name="permission", insertable = false, columnDefinition="tinyint(1) default 0")
private Integer permission;
@Column(name="deleted", columnDefinition = "boolean default false", insertable = false)
private boolean deleted;
@Column(name="expirationDate", insertable = false)
@CreationTimestamp
@Temporal(TemporalType.TIMESTAMP)
private Date expirationDate;
}
The fields that I want to receive from the client is:
email, password, firstName, lastName.
This is my route that receive the input and persist it:
@PostMapping("/createUser")
public ResponseEntity<User> createUser(@RequestBody User user) {
try{
return ResponseEntity.ok()
.body(userService.addUser(user));
} catch (CustomException e){
throw new CustomException(e.getMessage());
}
}
Via the annotation @RequestBody I am able to send an json to the server:
{
"email": "[email protected]",
"password": "123456",
"firstName": "Itzik",
"lastName": "Barabie",
"permission": 4,
"deleted": "true"
}
And it's seem to be that the user can specify it's own values for fields permission and deleted, Which I have annotate then with insertable = false.
This is the returned object.
{
"userId": 6,
"createDate": "2022-02-14T22:38:21.892 00:00",
"updatedDate": "2022-02-14T22:38:21.892 00:00",
"deleted": true,
"email": "[email protected]",
"password": "85784496ddc1811f5b71ee2a2797924139c550f784bd72753bc4daa9e731e148a0e57067038b5d4a82e2cecf910505ad06ec49a12d777a81f471ef81f8bae9ef",
"tokens": null,
"firstName": "Itzik",
"lastName": "Barabie",
"permission": 4,
"expirationDate": "2022-02-14T22:38:21.892 00:00"
}
This is an expected behavior? Or I'm missing something..
I have understand that insertable = false and updateable = false should block any attempt for insert or update manually.
Thanks!
CodePudding user response:
If you just want to restrict the API from accessing the fields that are only meant for internal use in the service layer such as permission/delete, then you are better off using
@JsonIgnore
or
@JsonProperty
annotations instead of @Insertable or @Updatable. This will hide the fields from the API.
@Entity
@AllArgsConstructor
@NoArgsConstructor
@Data
@Table(name="users")
public class User extends BaseEntity{
@Column(name="email")
private String email;
@Column(name="password")
private String password;
@Column(name="tokens", insertable = false)
@ElementCollection(targetClass=String.class)
private List<String> tokens;
@Column(name="firstName")
private String firstName;
@Column(name="lastName")
private String lastName;
@JsonIgnore
@Column(name="permission", columnDefinition="tinyint(1) default 0")
private Integer permission;
@JsonIgnore
@Column(name="deleted", columnDefinition = "boolean default false")
private boolean deleted;
@Column(name="expirationDate", insertable = false)
@CreationTimestamp
@Temporal(TemporalType.TIMESTAMP)
private Date expirationDate;
}
You can also choose to make the fields optionally hide during either a read or write. For example
@JsonProperty(access = JsonProperty.Access.READ_ONLY)
will show the value in API but not allow it to be written.