fix: revert to strict comparison in updateDocument, normalize tenant instead

abnegate · claude · abnegate · commit a67be9c874db · 2026-03-16T23:55:25.000+13:00
The loose comparison in the update-detection block could miss type-only
changes, allowing writes to persist with only READ authorization checked
instead of UPDATE. Normalize the old document's $tenant value so both
sides match under strict comparison.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/src/Database/Database.php b/src/Database/Database.php
@@ -6055,7 +6055,9 @@ public function updateDocument(string $collection, string $id, Document $documen
             $document['$createdAt'] = ($createdAt === null || !$this->preserveDates) ? $old->getCreatedAt() : $createdAt;
 
             if ($this->adapter->getSharedTables()) {
-                $document['$tenant'] = $old->getTenant(); // Make sure user doesn't switch tenant
+                $tenant = $old->getTenant();
+                $document['$tenant'] = $tenant;
+                $old->setAttribute('$tenant', $tenant); // Normalize for strict comparison
             }
             $document = new Document($document);
 
@@ -6065,13 +6067,6 @@ public function updateDocument(string $collection, string $id, Document $documen
                 return $attribute['type'] === Database::VAR_RELATIONSHIP;
             });
 
-            $idAttributes = [];
-            foreach (\array_merge(self::INTERNAL_ATTRIBUTES, $attributes) as $attribute) {
-                if ($attribute['type'] === Database::VAR_ID) {
-                    $idAttributes[$attribute['$id']] = true;
-                }
-            }
-
             $shouldUpdate = false;
 
             if ($collection->getId() !== self::METADATA) {
@@ -6169,8 +6164,7 @@ public function updateDocument(string $collection, string $id, Document $documen
 
                     $oldValue = $old->getAttribute($key);
 
-                    $isIdType = isset($idAttributes[$key]);
-                    if ($isIdType ? $value != $oldValue : $value !== $oldValue) {
+                    if ($value !== $oldValue) {
                         $shouldUpdate = true;
                         break;
                     }
