Disallow entity creation via API for unpublished entity list

[matthew-white]

Problem description

It should not be possible to create an entity in an unpublished entity list. We already disallow that for entity creation via submission. However, it looks like it is currently possible to do so via the API.

It also looks to be possible to update an entity in an unpublished entity list via the API.

Steps to reproduce the problem

• Create a new project.
• Upload a form that creates entities. If published, this form will publish an entity list.
• Before publishing the form, use the API to create an entity in the entity list. Only specify a UUID and label. I don't think it's possible to specify user-defined properties.
• Next, use the API to update the entity that was just created, updating its label only.
• Publish the form. Navigate to the entity list. The list shows the entity created.

URL of the page

https://staging.getodk.cloud/#/projects/42

Timestamps of note:

• The entity was created at 22:06 EDT (visible on the entity detail page)
• The entity was updated at 22:08
• The form was published at 22:11 (visible in the form Versions tab)

Central version shown in version.txt

versions:
4818bb05aa7170cd7d93c9af83d520be3c88a233 (v2023.3.1-11-g4818bb0)
+143211abb5d9b5f3ae50350049bf8c45d3894699 client (v2023.3.0-26-g143211ab)
+2cf7c27cbe76ab1fe138367e734bdb3efdc0e405 server (v2023.3.1-52-g2cf7c27c)

Other notes (if any)

I noticed this while looking at how Datasets.get() is used in lib/resources/entities.js, after reviewing getodk/central-backend#974. I noticed these two endpoints that don't specify a third parameter for Datasets.get().

If possible, I think it would be wise to scan uses of Datasets.get() elsewhere in the codebase for similar issues.

I also wonder whether the third parameter of Datasets.get() should be optional, given that it often seems important.