Skip to content

fix(go-server): skip readOnly fields in AssertXxxRequired#24170

Open
halfcrazy wants to merge 1 commit into
OpenAPITools:masterfrom
halfcrazy:fix-go-readonly
Open

fix(go-server): skip readOnly fields in AssertXxxRequired#24170
halfcrazy wants to merge 1 commit into
OpenAPITools:masterfrom
halfcrazy:fix-go-readonly

Conversation

@halfcrazy

@halfcrazy halfcrazy commented Jun 30, 2026

Copy link
Copy Markdown

AssertXxxRequired is only invoked on decoded request bodies, but it enforced every entry of a schema's required list, including readOnly properties. Per OpenAPI 3.x, readOnly properties are produced by the server and MUST NOT be sent by the client, so a schema legitimately listing a readOnly property as required (e.g. Redfish/JSON:API identity fields like id, @odata.type) caused the generated controller to reject every valid request that omitted the readOnly field.

Skip readOnly entries in the requiredVars loop in model.mustache so non-readOnly required fields are still validated while readOnly ones are not enforced on request bodies. Add a regression test using a spec with a readOnly+required id and a non-readOnly required name.
fix #24168

PR checklist

  • Read the contribution guidelines.
  • Run the following to build the project and update samples:
    ./mvnw clean package || exit
    ./bin/generate-samples.sh ./bin/configs/*.yaml || exit
    ./bin/utils/export_docs_generators.sh || exit
    
    (For Windows users, please run the script in WSL)
    Commit all changed files.
    This is important, as CI jobs will verify all generator outputs of your HEAD commit as it would merge with master.
    These must match the expectations made by your contribution.
    You may regenerate an individual generator by passing the relevant config(s) as an argument to the script, for example ./bin/generate-samples.sh bin/configs/java*.
    IMPORTANT: Do NOT purge/delete any folders/files (e.g. tests) when regenerating the samples as manually written tests may be removed.
  • If your PR is targeting a particular programming language, @mention the technical committee members, so they are more likely to review the pull request.

@lwj5


Summary by cubic

Skip readOnly fields during go-server model validation so request bodies can omit server-produced fields without failing. Non-readOnly required fields are still enforced, and readOnly fields are excluded from required checks, recursion, and constraints, matching OpenAPI 3.

  • Bug Fixes
    • Update model.mustache to exclude readOnly fields from the required map, from recursion in AssertXxxRequired, and from AssertXxxConstraints.
    • Add readonly-required.yaml and tests in GoServerCodegenTest to ensure id is skipped, name is enforced, and nested Meta is not recursed into.

Written for commit c58951d. Summary will update on new commits.

Review in cubic

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 3 files

Reply with feedback, questions, or to request a fix.

Re-trigger cubic

AssertXxxRequired is only invoked on decoded request bodies, but it
enforced every entry of a schema's required list, including readOnly
properties. Per OpenAPI 3.x, readOnly properties are produced by the
server and MUST NOT be sent by the client, so a schema legitimately
listing a readOnly property as required (e.g. Redfish/JSON:API identity
fields like id, @odata.type) caused the generated controller to reject
every valid request that omitted the readOnly field.

Skip readOnly entries in the requiredVars loop in model.mustache so
non-readOnly required fields are still validated while readOnly ones are
not enforced on request bodies. Add a regression test using a spec with
a readOnly+required id and a non-readOnly required name.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[BUG][go-server] AssertXxxRequired enforces readOnly required fields on request bodies, rejecting legitimate requests

1 participant