Fix SQL Syntax when doing a valid insert with request body empty (#2530)

aaronburtle · abhishekkumams · web-flow · commit b95b95f3b38f · 2025-01-23T11:38:17.000-08:00
## Why make this change? Closes #2527 ## What is this change? We introduce new SQL text for PostgreSQL and MSSQL when the collection of insertion columns is empty, when doing an insert. MSSQL and PostgreSQL provide key words DEFAULT VALUES in order to handle this case, and MySQL uses an empty VALUES () text that we already generate. ## How was this tested? We add a new test to MSSQL and PostreSQL called InsertOneWithDefaultValuesAndEmptyRequestBody which makes a simple insertion without a request body, we then validate that the response is as expected. ## Sample Request(s) Any valid POST request to a table that is made up of columns that all have some kind of default value, with an empty request body. ie: {POST}https://localhost:5001/restApi/Book/ Request Body: { } --------- Co-authored-by: Abhishek Kumar <abhishekkuma@microsoft.com>
diff --git a/config-generators/mssql-commands.txt b/config-generators/mssql-commands.txt
@@ -3,6 +3,7 @@ add Publisher --config "dab-config.MsSql.json" --source publishers --permissions
 add Publisher_MM --config "dab-config.MsSql.json" --source publishers_mm --graphql "Publisher_MM:Publishers_MM" --permissions "anonymous:*"
 add Stock --config "dab-config.MsSql.json" --source stocks --permissions "anonymous:create,read,update,delete"
 add Book --config "dab-config.MsSql.json" --source books --permissions "anonymous:create,read,update,delete" --graphql "book:books"
+add Default_Books --config "dab-config.MsSql.json" --source default_books --permissions "anonymous:create,read,update,delete" --graphql "default_book:default_books"
 add Book_MM --config "dab-config.MsSql.json" --source books_mm --permissions "anonymous:*" --graphql "book_mm:books_mm"
 add BookWebsitePlacement --config "dab-config.MsSql.json" --source book_website_placements --permissions "anonymous:read"
 add Author --config "dab-config.MsSql.json" --source authors --permissions "anonymous:read"
diff --git a/config-generators/mysql-commands.txt b/config-generators/mysql-commands.txt
@@ -2,6 +2,7 @@ init --config "dab-config.MySql.json" --database-type mysql --connection-string
 add Publisher --config "dab-config.MySql.json" --source publishers --permissions "anonymous:read"
 add Stock --config "dab-config.MySql.json" --source stocks --permissions "anonymous:create,read,update,delete"
 add Book --config "dab-config.MySql.json" --source books --permissions "anonymous:create,read,update,delete" --graphql "book:books"
+add Default_Books --config "dab-config.MySql.json" --source default_books --permissions "anonymous:create,read,update,delete" --graphql "default_book:default_books"
 add BookNF --config "dab-config.MySql.json" --source books --permissions "anonymous:*" --rest true --graphql "bookNF:booksNF"
 add BookWebsitePlacement --config "dab-config.MySql.json" --source book_website_placements --permissions "anonymous:read"
 add Author --config "dab-config.MySql.json" --source authors --permissions "anonymous:read"
diff --git a/config-generators/postgresql-commands.txt b/config-generators/postgresql-commands.txt
@@ -2,6 +2,7 @@ init --config "dab-config.PostgreSql.json" --database-type postgresql --connecti
 add Publisher --config "dab-config.PostgreSql.json" --source publishers --permissions "anonymous:read"
 add Stock --config "dab-config.PostgreSql.json" --source stocks --permissions "anonymous:create,read,update,delete"
 add Book --config "dab-config.PostgreSql.json" --source books --permissions "anonymous:create,read,update,delete" --graphql "book:books"
+add Default_Books --config "dab-config.PostgreSql.json" --source default_books --permissions "anonymous:create,read,update,delete" --graphql "default_book:default_books"
 add BookWebsitePlacement --config "dab-config.PostgreSql.json" --source book_website_placements --permissions "anonymous:read"
 add Author --config "dab-config.PostgreSql.json" --source authors --permissions "anonymous:read"
 add Review --config "dab-config.PostgreSql.json" --source reviews --permissions "anonymous:create,read,update" --rest false --graphql "review:reviews"
diff --git a/src/Core/Authorization/RestAuthorizationHandler.cs b/src/Core/Authorization/RestAuthorizationHandler.cs
@@ -197,6 +197,18 @@ public Task HandleAsync(AuthorizationHandlerContext context)
 
                         restContext.UpdateReturnFields(fieldsReturnedForFind);
                     }
+                    else if (columnsToCheck.Count() == 0 && restContext.OperationType is EntityActionOperation.Insert)
+                    {
+                        // It's possible that a INSERT operation has no columns in the request
+                        // body, but the operation is still allowed in cases where the table
+                        // contains default values for all columns. In such cases, we check
+                        // all the columns if the insert operation is allowed.
+                        IEnumerable<string> fieldsForCreate = _authorizationResolver.GetAllowedExposedColumns(entityName, roleName, operation);
+                        if (fieldsForCreate.Count() == 0)
+                        {
+                            context.Fail();
+                        }
+                    }
                     else
                     {
                         context.Fail();
diff --git a/src/Core/Resolvers/MsSqlQueryBuilder.cs b/src/Core/Resolvers/MsSqlQueryBuilder.cs
@@ -114,10 +114,18 @@ public string Build(SqlInsertStructure structure)
             StringBuilder insertQuery = new();
             if (!isInsertDMLTriggerEnabled)
             {
-                // When there is no DML trigger enabled on the table for insert operation, we can use OUTPUT clause to return the data.
-                insertQuery.Append($"INSERT INTO {tableName} ({insertColumns}) OUTPUT " +
-                    $"{MakeOutputColumns(structure.OutputColumns, OutputQualifier.Inserted.ToString())} ");
-                insertQuery.Append(values);
+                if (!string.IsNullOrEmpty(insertColumns))
+                {
+                    // When there is no DML trigger enabled on the table for insert operation, we can use OUTPUT clause to return the data.
+                    insertQuery.Append($"INSERT INTO {tableName} ({insertColumns}) OUTPUT " +
+                        $"{MakeOutputColumns(structure.OutputColumns, OutputQualifier.Inserted.ToString())} ");
+                    insertQuery.Append(values);
+                }
+                else
+                {
+                    insertQuery.Append($"INSERT INTO {tableName} OUTPUT " +
+                        $"{MakeOutputColumns(structure.OutputColumns, OutputQualifier.Inserted.ToString())} DEFAULT VALUES");
+                }
             }
             else
             {
diff --git a/src/Core/Resolvers/MySqlQueryBuilder.cs b/src/Core/Resolvers/MySqlQueryBuilder.cs
@@ -295,7 +295,8 @@ private string MakeInsertSelections(SqlInsertStructure structure)
                 }
                 else if (columnDef.HasDefault)
                 {
-                    selections.Add($"{GetMySQLDefaultValue(columnDef)} as {quotedColName}");
+                    string columnSelectionValue = structure.InsertColumns.Any() ? GetMySQLDefaultValue(columnDef) : $"'{GetMySQLDefaultValue(columnDef)}'";
+                    selections.Add($"{columnSelectionValue} as {quotedColName}");
                 }
             }
 
diff --git a/src/Core/Resolvers/PostgresQueryBuilder.cs b/src/Core/Resolvers/PostgresQueryBuilder.cs
@@ -67,9 +67,18 @@ public string Build(SqlQueryStructure structure)
         /// <inheritdoc />
         public string Build(SqlInsertStructure structure)
         {
-            return $"INSERT INTO {QuoteIdentifier(structure.DatabaseObject.SchemaName)}.{QuoteIdentifier(structure.DatabaseObject.Name)} ({Build(structure.InsertColumns)}) " +
-                    $"VALUES ({string.Join(", ", (structure.Values))}) " +
-                    $"RETURNING {Build(structure.OutputColumns)};";
+            string insertQuery = $"INSERT INTO {QuoteIdentifier(structure.DatabaseObject.SchemaName)}.{QuoteIdentifier(structure.DatabaseObject.Name)} ";
+            if (structure.InsertColumns.Any())
+            {
+                insertQuery += $"({Build(structure.InsertColumns)}) " +
+                    $"VALUES ({string.Join(", ", (structure.Values))}) ";
+            }
+            else
+            {
+                insertQuery += "DEFAULT VALUES ";
+            }
+
+            return $"{insertQuery} RETURNING {Build(structure.OutputColumns)}";
         }
 
         /// <inheritdoc />
diff --git a/src/Service.Tests/DatabaseSchema-MsSql.sql b/src/Service.Tests/DatabaseSchema-MsSql.sql
@@ -61,6 +61,7 @@ DROP TABLE IF EXISTS default_with_function_table;
 DROP TABLE IF EXISTS [DimAccount]
 DROP TABLE IF EXISTS users;
 DROP TABLE IF EXISTS user_profiles;
+DROP TABLE IF EXISTS default_books;
 DROP SCHEMA IF EXISTS [foo];
 DROP SCHEMA IF EXISTS [bar];
 COMMIT;
@@ -387,6 +388,11 @@ CREATE TABLE user_profiles (
 	userid INT
 );
 
+CREATE TABLE default_books(
+    id int IDENTITY(5001, 1) PRIMARY KEY,
+    title NVARCHAR(100)
+);
+
 ALTER TABLE books
 ADD CONSTRAINT book_publisher_fk
 FOREIGN KEY (publisher_id)
@@ -444,6 +450,10 @@ ON DELETE CASCADE;
 ALTER TABLE sales
 ADD total AS (subtotal + tax) PERSISTED;
 
+ALTER TABLE default_books
+ADD CONSTRAINT title_constraint
+DEFAULT 'Placeholder' FOR title
+
 SET IDENTITY_INSERT publishers ON
 INSERT INTO publishers(id, name) VALUES (1234, 'Big Company'), (2345, 'Small Town Publisher'), (2323, 'TBD Publishing One'), (2324, 'TBD Publishing Two Ltd'), (1940, 'Policy Publisher 01'), (1941, 'Policy Publisher 02'), (1156, 'The First Publisher');
 SET IDENTITY_INSERT publishers OFF
diff --git a/src/Service.Tests/DatabaseSchema-MySql.sql b/src/Service.Tests/DatabaseSchema-MySql.sql
@@ -12,6 +12,7 @@ DROP TABLE IF EXISTS authors;
 DROP TABLE IF EXISTS book_website_placements;
 DROP TABLE IF EXISTS website_users;
 DROP TABLE IF EXISTS books;
+DROP TABLE IF EXISTS default_books;
 DROP TABLE IF EXISTS players;
 DROP TABLE IF EXISTS clubs;
 DROP TABLE IF EXISTS publishers;
@@ -50,6 +51,11 @@ CREATE TABLE books(
     publisher_id int NOT NULL
 );
 
+CREATE TABLE default_books (
+    id INT AUTO_INCREMENT PRIMARY KEY,
+    title VARCHAR(255) DEFAULT 'Placeholder'
+);
+
 CREATE TABLE players(
     id int AUTO_INCREMENT PRIMARY KEY,
     name text NOT NULL,
diff --git a/src/Service.Tests/DatabaseSchema-PostgreSql.sql b/src/Service.Tests/DatabaseSchema-PostgreSql.sql
@@ -12,6 +12,7 @@ DROP TABLE IF EXISTS authors;
 DROP TABLE IF EXISTS book_website_placements;
 DROP TABLE IF EXISTS website_users;
 DROP TABLE IF EXISTS books;
+DROP TABLE IF EXISTS default_books;
 DROP TABLE IF EXISTS players;
 DROP TABLE IF EXISTS clubs;
 DROP TABLE IF EXISTS publishers;
@@ -58,6 +59,11 @@ CREATE TABLE books(
     publisher_id int NOT NULL
 );
 
+CREATE TABLE default_books(
+    id SERIAL PRIMARY KEY,
+    title TEXT DEFAULT 'Placeholder'
+);
+
 CREATE TABLE clubs(
     id int GENERATED BY DEFAULT AS IDENTITY PRIMARY KEY,
     name text NOT NULL
diff --git a/src/Service.Tests/Snapshots/ConfigurationTests.TestReadingRuntimeConfigForMsSql.verified.txt b/src/Service.Tests/Snapshots/ConfigurationTests.TestReadingRuntimeConfigForMsSql.verified.txt
@@ -924,6 +924,41 @@
         }
       }
     },
+    {
+      Default_Books: {
+        Source: {
+          Object: default_books,
+          Type: Table
+        },
+        GraphQL: {
+          Singular: default_book,
+          Plural: default_books,
+          Enabled: true
+        },
+        Rest: {
+          Enabled: true
+        },
+        Permissions: [
+          {
+            Role: anonymous,
+            Actions: [
+              {
+                Action: Create
+              },
+              {
+                Action: Read
+              },
+              {
+                Action: Update
+              },
+              {
+                Action: Delete
+              }
+            ]
+          }
+        ]
+      }
+    },
     {
       Book_MM: {
         Source: {
diff --git a/src/Service.Tests/Snapshots/ConfigurationTests.TestReadingRuntimeConfigForMySql.verified.txt b/src/Service.Tests/Snapshots/ConfigurationTests.TestReadingRuntimeConfigForMySql.verified.txt
@@ -766,6 +766,41 @@
         }
       }
     },
+    {
+      Default_Books: {
+        Source: {
+          Object: default_books,
+          Type: Table
+        },
+        GraphQL: {
+          Singular: default_book,
+          Plural: default_books,
+          Enabled: true
+        },
+        Rest: {
+          Enabled: true
+        },
+        Permissions: [
+          {
+            Role: anonymous,
+            Actions: [
+              {
+                Action: Create
+              },
+              {
+                Action: Read
+              },
+              {
+                Action: Update
+              },
+              {
+                Action: Delete
+              }
+            ]
+          }
+        ]
+      }
+    },
     {
       BookNF: {
         Source: {
diff --git a/src/Service.Tests/Snapshots/ConfigurationTests.TestReadingRuntimeConfigForPostgreSql.verified.txt b/src/Service.Tests/Snapshots/ConfigurationTests.TestReadingRuntimeConfigForPostgreSql.verified.txt
@@ -799,6 +799,41 @@
         }
       }
     },
+    {
+      Default_Books: {
+        Source: {
+          Object: default_books,
+          Type: Table
+        },
+        GraphQL: {
+          Singular: default_book,
+          Plural: default_books,
+          Enabled: true
+        },
+        Rest: {
+          Enabled: true
+        },
+        Permissions: [
+          {
+            Role: anonymous,
+            Actions: [
+              {
+                Action: Create
+              },
+              {
+                Action: Read
+              },
+              {
+                Action: Update
+              },
+              {
+                Action: Delete
+              }
+            ]
+          }
+        ]
+      }
+    },
     {
       BookWebsitePlacement: {
         Source: {
diff --git a/src/Service.Tests/SqlTests/RestApiTests/Insert/MsSqlInsertApiTests.cs b/src/Service.Tests/SqlTests/RestApiTests/Insert/MsSqlInsertApiTests.cs
@@ -102,6 +102,11 @@ public class MsSqlInsertApiTests : InsertApiTestBase
                 $"WHERE [id] = { STARTING_ID_FOR_TEST_INSERTS + 1} AND [book_id] = 2 AND [content] = 'Its a classic' " +
                 $"FOR JSON PATH, INCLUDE_NULL_VALUES, WITHOUT_ARRAY_WRAPPER"
             },
+            {
+                "InsertOneWithDefaultValuesAndEmptyRequestBody",
+                $"SELECT [id], [title] FROM { _tableWithDefaultValues } " +
+                $"FOR JSON PATH, INCLUDE_NULL_VALUES, WITHOUT_ARRAY_WRAPPER"
+            },
             {
                 "InsertOneWithNullFieldValue",
                 $"SELECT [categoryid], [pieceid], [categoryName],[piecesAvailable]," +
@@ -367,6 +372,31 @@ await SetupAndRunRestApiTest(
                 );
         }
 
+        /// <summary>
+        /// Validates we are able to successfully insert with an empty request body into a table
+        /// that has default values available for its columns.
+        /// </summary>
+        /// <returns></returns>
+        [TestMethod]
+        public async Task InsertOneWithDefaultValuesAndEmptyRequestBody()
+        {
+            // Validate that we can insert when request body is empty but we have columns that have default values.
+            string requestBody = @"
+            {
+            }";
+
+            await SetupAndRunRestApiTest(
+                primaryKeyRoute: null,
+                queryString: string.Empty,
+                entityNameOrPath: _entityWithDefaultValues,
+                sqlQuery: GetQuery(nameof(InsertOneWithDefaultValuesAndEmptyRequestBody)),
+                operationType: EntityActionOperation.Insert,
+                exceptionExpected: false,
+                requestBody: requestBody,
+                expectedStatusCode: HttpStatusCode.Created
+                );
+        }
+
         [TestMethod]
         public async Task InsertOneInViewBadRequestTest()
         {
diff --git a/src/Service.Tests/SqlTests/RestApiTests/Insert/MySqlInsertApiTests.cs b/src/Service.Tests/SqlTests/RestApiTests/Insert/MySqlInsertApiTests.cs
@@ -125,6 +125,16 @@ SELECT JSON_OBJECT('id', id, 'content', content, 'book_id', book_id) AS data
                     ) AS subq
                 "
             },
+            {
+                "InsertOneWithDefaultValuesAndEmptyRequestBody",
+                @"
+                    SELECT JSON_OBJECT('id', id, 'title', title) AS data
+                    FROM (
+                        SELECT id, title
+                        FROM " + _tableWithDefaultValues + @"
+                    ) AS subq
+                "
+            },
             {
                 "InsertSqlInjectionQuery1",
                 @"
@@ -230,6 +240,31 @@ public void InsertOneInViewBadRequestTest()
             throw new NotImplementedException();
         }
 
+        /// <summary>
+        /// Validates we are able to successfully insert with an empty request body into a table
+        /// that has default values available for its columns.
+        /// </summary>
+        /// <returns></returns>
+        [TestMethod]
+        public async Task InsertOneWithDefaultValuesAndEmptyRequestBody()
+        {
+            // Validate that we can insert when request body is empty but we have columns that have default values.
+            string requestBody = @"
+            {
+            }";
+
+            await SetupAndRunRestApiTest(
+                primaryKeyRoute: null,
+                queryString: string.Empty,
+                entityNameOrPath: _entityWithDefaultValues,
+                sqlQuery: GetQuery(nameof(InsertOneWithDefaultValuesAndEmptyRequestBody)),
+                operationType: EntityActionOperation.Insert,
+                exceptionExpected: false,
+                requestBody: requestBody,
+                expectedStatusCode: HttpStatusCode.Created
+                );
+        }
+
         #region overridden tests
         /// <inheritdoc/>
         [TestMethod]
diff --git a/src/Service.Tests/SqlTests/RestApiTests/Insert/PostgreSqlInsertApiTests.cs b/src/Service.Tests/SqlTests/RestApiTests/Insert/PostgreSqlInsertApiTests.cs
diff --git a/src/Service.Tests/SqlTests/RestApiTests/RestApiTestBase.cs b/src/Service.Tests/SqlTests/RestApiTests/RestApiTestBase.cs
diff --git a/src/Service.Tests/dab-config.MsSql.json b/src/Service.Tests/dab-config.MsSql.json
diff --git a/src/Service.Tests/dab-config.PostgreSql.json b/src/Service.Tests/dab-config.PostgreSql.json

Original file line number	Diff line number	Diff line change
`@@ -295,7 +295,8 @@ private string MakeInsertSelections(SqlInsertStructure structure)`
`295`	`295`	`}`
`296`	`296`	`else if (columnDef.HasDefault)`
`297`	`297`	`{`
`298`		`- selections.Add($"{GetMySQLDefaultValue(columnDef)} as {quotedColName}");`
	`298`	`+ string columnSelectionValue = structure.InsertColumns.Any() ? GetMySQLDefaultValue(columnDef) : $"'{GetMySQLDefaultValue(columnDef)}'";`
	`299`	`+ selections.Add($"{columnSelectionValue} as {quotedColName}");`
`299`	`300`	`}`
`300`	`301`	`}`
`301`	`302`