Array index boundary in PATCH add operations #117
Description
Hello again,
RFC6902 section 4.1 describes the allowed array indices in multiple places and combining those might allow a value which is currently not allowed by the implementation.
Using the following examples:
{ "magazine": [ { "title": "PCWorld", "price": 8.93 }, { "title": "Wired", "price": 7.5 } ] }
Patch:
[ { "op": "add", "path": "/magazine/2", "value": { "title": "Magazine", "price": 5.99 } } ]
The current implementation throws an error since the index points to a non-existent item.
However, one could interpret the bits of the RFC that this is supposed to work. So what could be relevant:
- If the target location specifies an array index, a new value is inserted into the array at the specified index.
- An element to add to an existing array - whereupon the supplied value is added to the array at the indicated location.
Based on these two, rejecting the patch is acceptable as that particular location doesn't exist. However, the RFC continues.
- The specified index MUST NOT be greater than the
number of elements in the array.- Because this operation is designed to add to existing objects and
arrays, its target location will often not exist. Although the
pointer's error handling algorithm will thus be invoked, this
specification defines the error handling behavior for "add" pointers
to ignore that error and add the value as specified.
So strictly speaking, 2 is not greater than the number of items in the array, as it's exactly 2.
Not sure about the actual intention of the RFC authors, so it might be a bug/ambiguity in the RFC as well.
Cheers,
Peter