From 752e901b3dfec9aad3106a49787cf325690b755a Mon Sep 17 00:00:00 2001
From: Adria Navarro <adria@budibase.com>
Date: Mon, 31 Jul 2023 09:58:49 +0200
Subject: [PATCH] Don't allow saving _viewId on row.patch

---
 .../server/src/api/controllers/row/index.ts   |  9 ++++++--
 .../server/src/api/routes/tests/row.spec.ts   | 21 ++++++++++++++++++-
 2 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/packages/server/src/api/controllers/row/index.ts b/packages/server/src/api/controllers/row/index.ts
index 32f892c4a5..41f5f1ca89 100644
--- a/packages/server/src/api/controllers/row/index.ts
+++ b/packages/server/src/api/controllers/row/index.ts
@@ -37,6 +37,11 @@ export async function patch(
   const appId = ctx.appId
   const tableId = utils.getTableId(ctx)
   const body = ctx.request.body
+
+  if (body._viewId) {
+    ctx.throw(400, "Table row endpoints cannot contain view info")
+  }
+
   // if it doesn't have an _id then its save
   if (body && !body._id) {
     return save(ctx)
@@ -62,7 +67,7 @@ export async function patch(
   }
 }
 
-export const save = async (ctx: UserCtx<Row>) => {
+export const save = async (ctx: UserCtx<Row, Row>) => {
   const appId = ctx.appId
   const tableId = utils.getTableId(ctx)
   const body = ctx.request.body
@@ -73,7 +78,7 @@ export const save = async (ctx: UserCtx<Row>) => {
 
   // if it has an ID already then its a patch
   if (body && body._id) {
-    return patch(ctx)
+    return patch(ctx as UserCtx<PatchRowRequest, PatchRowResponse>)
   }
   const { row, table, squashed } = await quotas.addRow(() =>
     quotas.addQuery(() => pickApi(tableId).save(ctx), {
diff --git a/packages/server/src/api/routes/tests/row.spec.ts b/packages/server/src/api/routes/tests/row.spec.ts
index ed0fb19343..8f2e64db7a 100644
--- a/packages/server/src/api/routes/tests/row.spec.ts
+++ b/packages/server/src/api/routes/tests/row.spec.ts
@@ -392,7 +392,7 @@ describe("/rows", () => {
       expect(saved.optsFieldStrKnown).toEqual("Alpha")
     })
 
-    it("should not allow creating a table row with view id data", async () => {
+    it("should throw an error when creating a table row with view id data", async () => {
       const res = await request
         .post(`/api/${row.tableId}/rows`)
         .send({ ...row, _viewId: generator.guid() })
@@ -452,6 +452,25 @@ describe("/rows", () => {
       await assertRowUsage(rowUsage)
       await assertQueryUsage(queryUsage)
     })
+
+    it("should throw an error when creating a table row with view id data", async () => {
+      const existing = await config.createRow()
+
+      const res = await config.api.row.patch(
+        table._id!,
+        {
+          ...existing,
+          _id: existing._id!,
+          _rev: existing._rev!,
+          tableId: table._id!,
+          _viewId: generator.guid(),
+        },
+        { expectStatus: 400 }
+      )
+      expect(res.body.message).toEqual(
+        "Table row endpoints cannot contain view info"
+      )
+    })
   })
 
   describe("destroy", () => {