From e9d5df647d2df520f21952959592854044ee01d7 Mon Sep 17 00:00:00 2001 From: Matt Date: Sat, 9 May 2026 19:58:10 +0200 Subject: [PATCH] fix(documents): folder PATCH rejects bodies with both name and parentId MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit z.union picks the first member that parses successfully, so a body with { name, parentId } would silently be parsed as a rename and the parentId dropped. The route comment claimed this was rejected — it wasn't. Adding .strict() to each branch makes the rejection real: both members refuse extra keys, the union produces a 400, and the rep gets feedback instead of a silent half-op. Co-Authored-By: Claude Opus 4.7 (1M context) --- src/app/api/v1/document-folders/[id]/route.ts | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/src/app/api/v1/document-folders/[id]/route.ts b/src/app/api/v1/document-folders/[id]/route.ts index 3b788822..e4cc3365 100644 --- a/src/app/api/v1/document-folders/[id]/route.ts +++ b/src/app/api/v1/document-folders/[id]/route.ts @@ -4,10 +4,7 @@ import { z } from 'zod'; import { withAuth, withPermission } from '@/lib/api/helpers'; import { parseBody } from '@/lib/api/route-helpers'; import { errorResponse, NotFoundError } from '@/lib/errors'; -import { - renameFolderSchema, - moveFolderSchema, -} from '@/lib/validators/document-folders'; +import { renameFolderSchema, moveFolderSchema } from '@/lib/validators/document-folders'; import { renameFolder, moveFolder, @@ -20,7 +17,11 @@ import { * (one operation per call) and prevents the rep from accidentally * doing two unrelated changes in one click. */ -const patchBodySchema = z.union([renameFolderSchema, moveFolderSchema]); +// `.strict()` on each branch so a body with BOTH name and parentId is +// rejected by both members and the union produces a 400 — without it, +// z.union silently picks the first match and drops the other key, +// which would let a rename request silently swallow a move attempt. +const patchBodySchema = z.union([renameFolderSchema.strict(), moveFolderSchema.strict()]); export const PATCH = withAuth( withPermission('documents', 'manage_folders', async (req, ctx, params) => {