Skip to content

Use DI parser in AllowedIncludesAttribute #134

Open
Bug
Open
Use DI parser in AllowedIncludesAttribute#134
Bug
Labels
.NETPull requests that update .NET codebugSomething isn't working
@erlendellefsen

Description

@erlendellefsen
Erlend Ellefsen (erlendellefsen)
opened on May 7, 2026

AllowedIncludesAttribute.OnActionExecuting (line 64) calls JsonApiQueryParser.Parse directly, bypassing the QueryComplexityAnalyzer.Validate step that runs in IJsonApiQueryParser. Two issues:

  1. Filter limits (count, depth, value length) are not enforced for actions decorated with [AllowedIncludes].
  2. The same request is parsed twice (once in the attribute, once in the controller).

Acceptance criteria

  • Attribute resolves IJsonApiQueryParser from context.HttpContext.RequestServices
  • Parsed QueryParameters is stashed (e.g. on HttpContext.Items) and reused by the controller
  • New test: a request with a filter tree exceeding JsonApiOptions.MaxFilters returns 400 on a [AllowedIncludes] action
  • Existing [AllowedIncludes] integration tests still pass

Metadata

Metadata

Assignees

No one assigned

    Labels

    .NETPull requests that update .NET codebugSomething isn't working

    Type

    Bug

    Fields

    No fields configured for Bug.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions