REST API cannot reliably distinguish strings from record ids

[phpnode]

The REST API represents record ids as strings, like "#12:10". This means that I cannot take an arbitrary record and determine which fields are strings and which are links.

For example, let's assume a user enters the string "#12:10" in a field called name and the record is saved. If I later load that record, and if it's schemaless or if I don't have access to the schema, I cannot tell whether that field is a string or a link to another record. If I do something like looking for strings which match a record ID pattern, I can end up in a situation where:

1. Certain magic strings can break my application, e.g. by returning an object where a string is expected.
2. Malicious users can manipulate my application into revealing records they should not have access to.

After some discussion we fixed this in oriento by using specialist record id objects.

Fixing this in the current rest API implementation would be a very significant breaking change. Perhaps the solution would be to adopt a standardized JSON format, such as JSON-LD which can accurately express linked document graphs. This new API could then be accessed by content negotiation, asking for the application/ld+json content type.

[lvca]

Fixed in #3313