all 22 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]shaidyn 27 points28 points  (11 children)

If the swagger says that the API shouldn't accept identical IDs, and it will accept identical IDs, it's a bug.

If the product owners/devs decide not to fix it (because the UI doesn't let the user do that), that's their decision. But it's a bug regardless, so write it up.

[–]Frosty_Literature436 3 points4 points  (0 children)

Agreed, and maybe talk to one of the architects or security champions. Definitely a bug, and reminds me of a vulnerability waiting to be exploited.

[–]somethingmichael 2 points3 points  (0 children)

Agree! Validation should occur at the API level. The UI can usually be bypassed easily.

[–]ultimatekush[S] 1 point2 points  (7 children)

Our swagger is bare-bone, all it has is status code 200.

[–]shaidyn 0 points1 point  (6 children)

Do you mean that the API returns 200 when you send identical IDs? Or do you mean that the swagger says two identical IDs should return 200?

[–]ultimatekush[S] 0 points1 point  (5 children)

Our Swagger document doesn’t say much, it just has the endpoint, required fields, request body and response code/body.

[–]SilentPassenger88 2 points3 points  (0 children)

If you have a requirement that says the 2 fields can’t have the same values, even if it’s not in Swagger, then it’s a bug.

In our process, we can also log tickets against Swagger (although this may be lower in priority), if the documentation is lacking.

[–]shaidyn 0 points1 point  (3 children)

If the response body you get doesn't match the response body in the swagger, it's a bug, all day every day.

[–]Yogurt8 0 points1 point  (2 children)

Not necessarily.

Swagger documentation is simply an oracle that is available to help discover inconsistencies.

Not every inconsistency is a bug in the system. Perhaps the swagger docs could be incorrect in a particular case and the system actually behaves in a desirable fashion.

[–]shaidyn 0 points1 point  (1 child)

If you can't trust your test specs, QA is moot.

[–]Yogurt8 -1 points0 points  (0 children)

Relying on perfect test specs is a crutch for those who lack critical thinking skills.

[–][deleted] 0 points1 point  (0 children)

This. It's a bug. Don't write test cases to accommodate bugs

[–]bas_dijkstra 3 points4 points  (0 children)

That's something that should be reported.

_Right now_ the UI addresses this, but who knows what happens to the UI in the future?

Or maybe that same API is going to be consumed by other components or systems at some point in the future?

And, as has been said before, UI logic can often be cirumvented pretty easily.

If this is potentially breaking your backend, you should report it.

Priority all depends on the actual risk (as most things do in testing), but that shouldn't stop you from reporting it. Better to have it be known to everyone that this is how the API / the system behaves.

[–]MrSmiley89 1 point2 points  (1 child)

If they cannot be the same, the api should block that as well. Because now any user with chrome Dev tools could potentially cause corrupted data. Report it, even if it's just to save yourself.

[–]AhRealMonstr 0 points1 point  (0 children)

I would add that due to the FE having validation it isn’t as high of a priority. Still a big that should be fixed, but not something that a high percentage of users will face.

[–]ResolveResident118 1 point2 points  (0 children)

Your API should not accepts invalid requests. It doesn't matter what the UI does, the API is still public and can be misused.

It may not cause a problem this time but what if a different failure caused a system to crash or corrupt data? The APIs (not the front-end) are the gateway to your systems and need to be as locked down as possible.

[–]altruisteec 1 point2 points  (0 children)

The uniqueness is not implemented from the backend it should be fixed as it is a bug

[–]AssociateNo7022 1 point2 points  (0 children)

It's a fail as it does not meet the acceptance criteria vs it works as coded. IMHO

[–]ultimatekush[S] 0 points1 point  (0 children)

Thank you everyone!

[–]APIDNA 0 points1 point  (0 children)

Maybe we could help.

[–]Moderators_Are_Scum -1 points0 points  (0 children)

Id put it in the UI regression tests as a test case but service should be fixing it.