[Bugfix] Prevent relations being treated as attributes

lindyhopchris · lindyhopchris · commit 5f28f3c65f9e · 2020-01-13T16:07:42.000Z
Closes #447
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -14,6 +14,8 @@ Amend query method signature on validated request to match Laravel request signa
 ### Fixed
 - [#445](https://github.com/cloudcreativity/laravel-json-api/issues/445)
 Allow resource identifier to be zero.
+- [#447](https://github.com/cloudcreativity/laravel-json-api/issues/447)
+Ensure deserialized attributes do not include relations if the relation has been sent as an attribute.
 
 ## [1.5.0] - 2019-10-14
 
diff --git a/src/Document/ResourceObject.php b/src/Document/ResourceObject.php
@@ -717,10 +717,6 @@ private function fieldNames(): Collection
      */
     private function normalize(): void
     {
-        if (collect($this->attributes)->intersectByKeys($this->relationships)->isNotEmpty()) {
-            throw new \LogicException('Attributes and relationships cannot have the same field names.');
-        }
-
         $this->fieldValues = $this->fieldValues();
         $this->fieldNames = $this->fieldNames();
     }
diff --git a/src/Eloquent/Concerns/DeserializesAttributes.php b/src/Eloquent/Concerns/DeserializesAttributes.php
@@ -103,8 +103,8 @@ protected function modelKeyForField($field, $model)
      */
     protected function deserializeAttributes($attributes, $record)
     {
-        return collect($attributes)->reject(function ($v, $field) use ($record) {
-            return $this->isNotFillable($field, $record);
+        return collect($attributes)->filter(function ($v, $field) use ($record) {
+            return $this->isFillableAttribute($field, $record);
         })->mapWithKeys(function ($value, $field) use ($record) {
             $key = $this->modelKeyForField($field, $record);
 
@@ -169,4 +169,16 @@ protected function isDateAttribute($field, $record)
         return in_array($field, $this->dates, true);
     }
 
+    /**
+     * Is the field a fillable attribute?
+     *
+     * @param string $field
+     * @param mixed $record
+     * @return bool
+     */
+    protected function isFillableAttribute($field, $record)
+    {
+        return $this->isFillable($field, $record) && !$this->isRelation($field);
+    }
+
 }
diff --git a/tests/lib/Integration/Eloquent/ResourceTest.php b/tests/lib/Integration/Eloquent/ResourceTest.php
@@ -166,7 +166,7 @@ public function testCreate()
                 'author' => [
                     'data' => [
                         'type' => 'users',
-                        'id' => (string) $model->author_id,
+                        'id' => (string) $model->author->getRouteKey(),
                     ],
                 ],
             ],
@@ -182,7 +182,7 @@ public function testCreate()
             'title' => $model->title,
             'slug' => $model->slug,
             'content' => $model->content,
-            'author_id' => $model->author_id,
+            'author_id' => $model->author->getKey(),
         ]);
     }
 
@@ -455,6 +455,32 @@ public function testUpdateWithUnrecognisedRelationship()
         ]);
     }
 
+    /**
+     * The client sends an unexpected attribute with the same name as a
+     * relationship.
+     */
+    public function testUpdateWithRelationshipAsAttribute()
+    {
+        $post = factory(Post::class)->create();
+
+        $data = [
+            'type' => 'posts',
+            'id' => (string) $post->getRouteKey(),
+            'attributes' => [
+                'title' => 'Hello World',
+                'author' => 'foobar',
+            ],
+        ];
+
+        $this->doUpdate($data)->assertStatus(200);
+
+        $this->assertDatabaseHas('posts', [
+            'id' => $post->getKey(),
+            'title' => 'Hello World',
+            'author_id' => $post->author_id,
+        ]);
+    }
+
     /**
      * Laravel conversion middleware e.g. trim strings, works.
      *
diff --git a/tests/lib/Unit/Document/ResourceObjectTest.php b/tests/lib/Unit/Document/ResourceObjectTest.php
@@ -182,16 +182,16 @@ public function testGetWithDefault(): void
 
     /**
      * Fields share a common namespace, so if there is a duplicate field
-     * name in the attributes and relationships, we expect an exception as the resource
-     * is not valid.
+     * name in the attributes and relationships, there is a collision.
+     * We expect the relationship to be returned.
      */
     public function testDuplicateFields(): void
     {
         $this->values['attributes']['author'] = null;
 
-        $this->expectException(\LogicException::class);
-        $this->expectExceptionMessage('same field names');
-        ResourceObject::create($this->values);
+        $resource = ResourceObject::create($this->values);
+
+        $this->assertSame($this->values['relationships']['author']['data'], $resource['author']);
     }
 
     public function testCannotSetOffset(): void

Original file line number	Diff line number	Diff line change
`@@ -717,10 +717,6 @@ private function fieldNames(): Collection`
`717`	`717`	`*/`
`718`	`718`	`private function normalize(): void`
`719`	`719`	`{`
`720`		`- if (collect($this->attributes)->intersectByKeys($this->relationships)->isNotEmpty()) {`
`721`		`- throw new \LogicException('Attributes and relationships cannot have the same field names.');`
`722`		`- }`
`723`		`-`
`724`	`720`	`$this->fieldValues = $this->fieldValues();`
`725`	`721`	`$this->fieldNames = $this->fieldNames();`
`726`	`722`	`}`