Possible bug: I can use the API to delete records that don't exist in the current table


#1

If I create an Airtable with two tables in it, call them posts and comments, I can use either table name to delete records on the other table. In other words, if I have a comment with the ID recIA3d3kRJwccR4M, I can call:

DELETE https://api.airtable.com/v0/BASE_ID/comments/recIA3d3kRJwccR4M

or:

DELETE https://api.airtable.com/v0/BASE_ID/posts/recIA3d3kRJwccR4M

This seems like a pretty important bug as it could lead to accidentally deleting records from the wrong table. Is this a known issue or something that you’re looking to fix?


#2

It’s definitely strange, but I don’t think it could lead to the unexpected deletion of a record from the wrong table (correct me if I’m wrong here). Every record has a unique ID, that is unique regardless of table. There will never be a Post and a Comment that have the same recordID, only preceded by a different table name. So for this to be an issue, you’d have to actually call the wrong recordID, along with the wrong table, in order to delete a completely unexpected record.


#3

Fair enough, and I think you are right that two records cannot share the same ID even if they’re in other tables. It actually came up as I was working on a Proxy API that allows users to Delete records from one table, but only read from another table. Because of this bug, users can get around my table access rules.


#4

Ya, that could be a problem.


#5

Don’t quote me, but I think somewhere around here is a comment from Kasra saying that while records almost certainly have unique values, there’s nothing that enforces unique-ness…


#6

To clarify: record IDs in a base are currently guaranteed be unique, even across different tables :slight_smile:

We may change that in the future, so it’s best not to rely on the uniqueness, but we won’t change that guarantee until this issue is resolved in a future API update.

Sorry for this strange behavior in the current API!


#7

Not a big deal, and thanks for confirming the issue. Good to know I wasn’t just messing something up.

Is there any timeline or roadmap for future API improvements? I love the API, so I’d love to know when it’s being updated.


#8

This is indeed odd, and something we intend to fix in the next version of the API. We can’t fix it now, unfortunately, because we might break someone who is relying on this (strange) behavior.

We don’t have a public roadmap for API improvements, but it’s definitely something we’re working on!