fix: don't accept private arguments over JSON:API endpoints

zachdaniel · zachdaniel · commit 8f37dee57107 · 2026-03-27T14:33:27.000-04:00
closes #427
diff --git a/lib/ash_json_api/request.ex b/lib/ash_json_api/request.ex
@@ -1150,11 +1150,12 @@ defmodule AshJsonApi.Request do
 
     Enum.reduce(attributes, request, fn {key, value}, request ->
       case Enum.find(action.arguments, fn argument ->
-             AshJsonApi.Resource.Info.apply_argument_name_mapping(
-               arg_names,
-               action.name,
-               argument.name
-             ) == key
+             argument.public? &&
+               AshJsonApi.Resource.Info.apply_argument_name_mapping(
+                 arg_names,
+                 action.name,
+                 argument.name
+               ) == key
            end) do
         nil ->
           request
@@ -1177,8 +1178,9 @@ defmodule AshJsonApi.Request do
       matching_argument =
         Enum.find(
           action.arguments,
-          &(AshJsonApi.Resource.Info.apply_argument_name_mapping(arg_names, action.name, &1.name) ==
-              key)
+          &(&1.public? &&
+              AshJsonApi.Resource.Info.apply_argument_name_mapping(arg_names, action.name, &1.name) ==
+                key)
         )
 
       matching_accept =
diff --git a/test/acceptance/patch_test.exs b/test/acceptance/patch_test.exs
@@ -204,6 +204,10 @@ defmodule Test.Acceptance.PatchTest do
           route "/forbidden_update/:id"
         end
 
+        patch :private_arg_update do
+          route "/private_arg_update/:id"
+        end
+
         related :author, :read
         patch_relationship :author
       end
@@ -241,6 +245,14 @@ defmodule Test.Acceptance.PatchTest do
         end)
       end
 
+      update :private_arg_update do
+        accept([:name])
+
+        argument :email, :string do
+          public?(false)
+        end
+      end
+
       action :forbidden_update, :struct do
         constraints(instance_of: __MODULE__)
         argument(:id, :uuid, allow_nil?: false)
@@ -435,6 +447,22 @@ defmodule Test.Acceptance.PatchTest do
       })
     end
 
+    test "public?: false arguments on update actions cannot be set via PATCH", %{post: post} do
+      response =
+        Domain
+        |> patch(
+          "/posts/private_arg_update/#{post.id}",
+          %{
+            data: %{attributes: %{email: "should_not_work@test.com"}}
+          },
+          status: 422
+        )
+
+      assert Enum.any?(response.resp_body["errors"], fn error ->
+               error["code"] == "no_such_input"
+             end)
+    end
+
     @tag :attributes
     test "private attributes are not rendered in the payload", %{post: post} do
       Domain
