Patch with no query updates all records in the database

[NorthDecoder]

While struggling to to learn how to write the correct query
to patch only one record, I tried no query and the default of
patch all records was performed.

Steps to reproduce

1. Following the the todo-list tutorial

lb4 example todo-list
cd loopback4-example-todo-list
npm start

2. Browse to the API explorer at http://127.0.0.1:3000

3. Notice that the database is prepopulated

   a. With GET todo-lists/count

   • Click Try It out
   • remove the default query
   • press the execute button
   • see result { "count": 2 }

   b. With button GET todo-lists/

   • Click Try It out
   • remove the default query
   • press the execute button
   • see the response has two lists

     	[
     	  {
     	    "id": 1,
     	    "title": "Sith lord's check list",
     	    "color": "blue"
     	  },
     	  {
     	    "id": 2,
     	    "title": "My daily chores",
     	    "color": "red"
     	  }
     	]

   c. Click button GET /todo-lists/{id}/todos

   • Click Try It out
   • Enter 1 for the id number of the first list
   • remove the default query
   • press the execute button
   • see the response is quantity three pre-populated todos
     id's 1, 2 and 4 .

   WARNING: about to (accidentally) patch all the todos in the list!

   d. Click button PATCH /todo-lists/{id}/todos

   • Click Try It out
   • Enter 1 for the id number of the first list
   • remove the default query
   • add some replacement data in the request body, for example:

     {
       "id": 4,
       "title": "my-title-string",
       "desc": "a short description string",
       "isComplete": false,
       "todoListId": 1
     }

   • press the execute button
   • see the response is

     {
       "count": 3
     }

   e. Re-perform step c. above to see the result is:

       [
          {
            "id": 1,
            "title": "my-title-string",
            "desc": "a short description string",
            "isComplete": false,
            "todoListId": 1
          },
          {
            "id": 2,
            "title": "my-title-string",
            "desc": "a short description string",
            "isComplete": false,
            "todoListId": 1
          },
          {
            "id": 4,
            "title": "my-title-string",
            "desc": "a short description string",
            "isComplete": false,
            "todoListId": 1
          }
        ]

   • an array where all the records have been unceremoniously patched to equal the replacement data! The list count is still { "count": 2 }.

Current Behavior

• Default (accidental) patch of all records.

Expected Behavior

• My expectation is that at least nothing would happen
  accidentally. Even better, no patch-all would occur
  and that a somewhat helpful error message would be
  returned stating that an empty query is not allowed with
  a patch request.

Link to reproduction sandbox

__N/A__

Additional information

• linux x64 14.15.1

@loopback/example-todo-list@3.7.1 /home/northdecoder/workspace/loopback4-example-todo-list
├── @loopback/boot@3.2.0
├── @loopback/core@2.14.0
├── @loopback/repository@3.4.0
├── @loopback/rest@9.1.2
├── @loopback/rest-explorer@3.0.6
├── @loopback/service-proxy@3.0.6
├── loopback-connector-rest@4.0.1

Related Issues

Issue #

• Deletes all with no query issue# 7017. Not sure the code is related, however the pattern of behavior is similar.

[juanvillegas]

In that case, if you wanted to effectively patch all records in the database, you would need an extra flag to "force" the behavior?