Restrict createdAt and updatedAt attributes for non-API key and non-privileged users in Create, Update, and Upsert actions

2026-05-22 00:18:25 +00:00 · 2025-08-01 12:31:29 +05:30 · 2025-08-01 12:31:29 +05:30 · 983d102ff2
commit 983d102ff2
parent de69692ff2
3 changed files with 11 additions and 17 deletions
--- a/src/Appwrite/Platform/Modules/Databases/Http/Databases/Collections/Documents/Create.php
+++ b/src/Appwrite/Platform/Modules/Databases/Http/Databases/Collections/Documents/Create.php
@ -332,7 +332,7 @@ class Create extends Action
            }
        };

-        $documents = \array_map(function ($document) use ($collection, $permissions, $checkPermissions, $isBulk, $documentId, $setPermissions, $isAPIKey) {
+        $documents = \array_map(function ($document) use ($collection, $permissions, $checkPermissions, $isBulk, $documentId, $setPermissions, $isAPIKey, $isPrivilegedUser) {
            $document['$collection'] = $collection->getId();

            // Determine the source ID depending on whether it's a bulk operation.
@ -351,15 +351,13 @@ class Create extends Action
            // Assign a unique ID if needed, otherwise use the provided ID.
            $document['$id'] = $sourceId === 'unique()' ? ID::unique() : $sourceId;

-            // Allowing to add createdAt and updatedAt timestamps if server side(api key)
-            $createdAt = $document['$createdAt'] ?? null;
-            $updatedAt = $document['$updatedAt'] ?? null;
-            if (!$isAPIKey) {
-                if ($createdAt !== null) {
+            // Allowing to add createdAt and updatedAt timestamps if server side(api key
+            if (!$isAPIKey && !$isPrivilegedUser) {
+                if (isset($document['$createdAt'])) {
                    throw new Exception($this->getInvalidStructureException(), 'Attribute "$createdAt" is not allowed');
                }

-                if ($updatedAt !== null) {
+                if (isset($document['$updatedAt'])) {
                    throw new Exception($this->getInvalidStructureException(), 'Attribute "$updatedAt" is not allowed');
                }
            }
--- a/src/Appwrite/Platform/Modules/Databases/Http/Databases/Collections/Documents/Update.php
+++ b/src/Appwrite/Platform/Modules/Databases/Http/Databases/Collections/Documents/Update.php
@ -110,14 +110,12 @@ class Update extends Action
        }

        // Allowing to add createdAt and updatedAt timestamps if server side(api key)
-        $createdAt = $data['$createdAt'] ?? null;
-        $updatedAt = $data['$updatedAt'] ?? null;
-        if (!$isAPIKey) {
-            if ($createdAt !== null) {
+        if (!$isAPIKey && !$isPrivilegedUser) {
+            if (isset($data['$createdAt'])) {
                throw new Exception($this->getInvalidStructureException(), 'Attribute "$createdAt" is not allowed');
            }

-            if ($updatedAt !== null) {
+            if (isset($data['$updatedAt'])) {
                throw new Exception($this->getInvalidStructureException(), 'Attribute "$updatedAt" is not allowed');
            }
        }
--- a/src/Appwrite/Platform/Modules/Databases/Http/Databases/Collections/Documents/Upsert.php
+++ b/src/Appwrite/Platform/Modules/Databases/Http/Databases/Collections/Documents/Upsert.php
@ -154,14 +154,12 @@ class Upsert extends Action
            }
        }
        // Allowing to add createdAt and updatedAt timestamps if server side(api key)
-        $createdAt = $data['$createdAt'] ?? null;
-        $updatedAt = $data['$updatedAt'] ?? null;
-        if (!$isAPIKey) {
-            if ($createdAt !== null) {
+        if (!$isAPIKey && !$isPrivilegedUser) {
+            if (isset($data['$createdAt'])) {
                throw new Exception($this->getInvalidStructureException(), 'Attribute "$createdAt" is not allowed');
            }

-            if ($updatedAt !== null) {
+            if (isset($data['$updatedAt'])) {
                throw new Exception($this->getInvalidStructureException(), 'Attribute "$updatedAt" is not allowed');
            }
        }