bsouter@coc.ca_thecityofcalgary

supportsTruncate flag in AGOL hosted feature service not respected

Discussion created by bsouter@coc.ca_thecityofcalgary on Jun 9, 2020

We have discovered that the supportsTruncate flag in the admin layer definition is not being respected as it is possible to use an admin REST truncate call to truncate data that has that flag set to false.

 

supportsTruncate flag in admin layer definition

 

In addition, it is possible to use the admin REST truncate call on an AGOL hosted feature service with sync enabled despite the REST documentation saying otherwise.

 

REST truncate documentation

 

We also discovered that FME has an option in the AGOL writer that enables truncate and insert that seems to use the admin REST truncate call as the OBJECTIDs are reset to 1.

 

This is extremely concerning as in a database only the schema owner can truncate the data, but the admin truncate REST call is potentially accessible to several users and if the supportsTruncate flag is not respected it is possible for users to inadvertently empty datasets in AGOL.

Outcomes