diff --git a/src/Appwrite/Platform/Modules/Databases/Http/Databases/Collections/Documents/Create.php b/src/Appwrite/Platform/Modules/Databases/Http/Databases/Collections/Documents/Create.php index 9156599d25..17243caa8f 100644 --- a/src/Appwrite/Platform/Modules/Databases/Http/Databases/Collections/Documents/Create.php +++ b/src/Appwrite/Platform/Modules/Databases/Http/Databases/Collections/Documents/Create.php @@ -332,7 +332,7 @@ class Create extends Action } }; - $documents = \array_map(function ($document) use ($collection, $permissions, $checkPermissions, $isBulk, $documentId, $setPermissions, $isAPIKey) { + $documents = \array_map(function ($document) use ($collection, $permissions, $checkPermissions, $isBulk, $documentId, $setPermissions, $isAPIKey, $isPrivilegedUser) { $document['$collection'] = $collection->getId(); // Determine the source ID depending on whether it's a bulk operation. @@ -351,15 +351,13 @@ class Create extends Action // Assign a unique ID if needed, otherwise use the provided ID. $document['$id'] = $sourceId === 'unique()' ? ID::unique() : $sourceId; - // Allowing to add createdAt and updatedAt timestamps if server side(api key) - $createdAt = $document['$createdAt'] ?? null; - $updatedAt = $document['$updatedAt'] ?? null; - if (!$isAPIKey) { - if ($createdAt !== null) { + // Allowing to add createdAt and updatedAt timestamps if server side(api key + if (!$isAPIKey && !$isPrivilegedUser) { + if (isset($document['$createdAt'])) { throw new Exception($this->getInvalidStructureException(), 'Attribute "$createdAt" is not allowed'); } - if ($updatedAt !== null) { + if (isset($document['$updatedAt'])) { throw new Exception($this->getInvalidStructureException(), 'Attribute "$updatedAt" is not allowed'); } } diff --git a/src/Appwrite/Platform/Modules/Databases/Http/Databases/Collections/Documents/Update.php b/src/Appwrite/Platform/Modules/Databases/Http/Databases/Collections/Documents/Update.php index 8d0cdc9cec..17993d47a1 100644 --- a/src/Appwrite/Platform/Modules/Databases/Http/Databases/Collections/Documents/Update.php +++ b/src/Appwrite/Platform/Modules/Databases/Http/Databases/Collections/Documents/Update.php @@ -110,14 +110,12 @@ class Update extends Action } // Allowing to add createdAt and updatedAt timestamps if server side(api key) - $createdAt = $data['$createdAt'] ?? null; - $updatedAt = $data['$updatedAt'] ?? null; - if (!$isAPIKey) { - if ($createdAt !== null) { + if (!$isAPIKey && !$isPrivilegedUser) { + if (isset($data['$createdAt'])) { throw new Exception($this->getInvalidStructureException(), 'Attribute "$createdAt" is not allowed'); } - if ($updatedAt !== null) { + if (isset($data['$updatedAt'])) { throw new Exception($this->getInvalidStructureException(), 'Attribute "$updatedAt" is not allowed'); } } diff --git a/src/Appwrite/Platform/Modules/Databases/Http/Databases/Collections/Documents/Upsert.php b/src/Appwrite/Platform/Modules/Databases/Http/Databases/Collections/Documents/Upsert.php index 2864204f93..ecd9ac79df 100644 --- a/src/Appwrite/Platform/Modules/Databases/Http/Databases/Collections/Documents/Upsert.php +++ b/src/Appwrite/Platform/Modules/Databases/Http/Databases/Collections/Documents/Upsert.php @@ -154,14 +154,12 @@ class Upsert extends Action } } // Allowing to add createdAt and updatedAt timestamps if server side(api key) - $createdAt = $data['$createdAt'] ?? null; - $updatedAt = $data['$updatedAt'] ?? null; - if (!$isAPIKey) { - if ($createdAt !== null) { + if (!$isAPIKey && !$isPrivilegedUser) { + if (isset($data['$createdAt'])) { throw new Exception($this->getInvalidStructureException(), 'Attribute "$createdAt" is not allowed'); } - if ($updatedAt !== null) { + if (isset($data['$updatedAt'])) { throw new Exception($this->getInvalidStructureException(), 'Attribute "$updatedAt" is not allowed'); } }