From b98709b3cec02fedc3cccb3790e74d05a7a9657e Mon Sep 17 00:00:00 2001 From: Sebastian Gierlinger Date: Tue, 6 May 2014 12:14:58 +0200 Subject: [PATCH] Refactor omit of password MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - remove password in toJSON() instead of filtering every occurrence of user - changed faulty error type ‚NotFound‘ to ‚NoPermission‘ --- core/server/api/posts.js | 43 ++++++++++---------------------------- core/server/api/users.js | 26 +++++------------------ core/server/models/user.js | 8 +++++++ 3 files changed, 24 insertions(+), 53 deletions(-) diff --git a/core/server/api/posts.js b/core/server/api/posts.js index e05fb9d719..fc66634b69 100644 --- a/core/server/api/posts.js +++ b/core/server/api/posts.js @@ -2,7 +2,6 @@ var when = require('when'), _ = require('lodash'), dataProvider = require('../models'), canThis = require('../permissions').canThis, - filteredUserAttributes = require('./users').filteredAttributes, posts, allowedIncludes = ['created_by', 'updated_by', 'published_by', 'author', 'tags', 'fields']; @@ -45,17 +44,7 @@ posts = { } // **returns:** a promise for a page of posts in a json object - return dataProvider.Post.findPage(options).then(function (result) { - var i = 0, - omitted = result; - - for (i = 0; i < omitted.posts.length; i = i + 1) { - if (!_.isNumber(omitted.posts[i].author)) { - omitted.posts[i].author = _.omit(omitted.posts[i].author, filteredUserAttributes); - } - } - return omitted; - }); + return dataProvider.Post.findPage(options); }, // #### Read @@ -76,14 +65,8 @@ posts = { // **returns:** a promise for a single post in a json object return dataProvider.Post.findOne(options, {include: include}).then(function (result) { - var omitted; - if (result) { - omitted = result.toJSON(); - if (!_.isNumber(omitted.author)) { - omitted.author = _.omit(omitted.author, filteredUserAttributes); - } - return { posts: [ omitted ]}; + return { posts: [ result.toJSON() ]}; } return when.reject({type: 'NotFound', message: 'Post not found.'}); @@ -108,15 +91,13 @@ posts = { return dataProvider.Post.edit(checkedPostData.posts[0], {user: self.user, include: include}); }).then(function (result) { if (result) { - var omitted = result.toJSON(); - if (!_.isNumber(omitted.author)) { - omitted.author = _.omit(omitted.author, filteredUserAttributes); - } + var post = result.toJSON(); + // If previously was not published and now is, signal the change if (result.updated('status') !== result.get('status')) { - omitted.statusChanged = true; + post.statusChanged = true; } - return { posts: [ omitted ]}; + return { posts: [ post ]}; } return when.reject({type: 'NotFound', message: 'Post not found.'}); @@ -141,15 +122,13 @@ posts = { return dataProvider.Post.add(checkedPostData.posts[0], {user: self.user, include: include}); }).then(function (result) { - var omitted = result.toJSON(); - if (!_.isNumber(omitted.author)) { - omitted.author = _.omit(omitted.author, filteredUserAttributes); - } - if (omitted.status === 'published') { + var post = result.toJSON(); + + if (post.status === 'published') { // When creating a new post that is published right now, signal the change - omitted.statusChanged = true; + post.statusChanged = true; } - return { posts: [ omitted ]}; + return { posts: [ post ]}; }); }, function () { return when.reject({type: 'NoPermission', message: 'You do not have permission to add posts.'}); diff --git a/core/server/api/users.js b/core/server/api/users.js index 522ddfbeb5..9752964cc8 100644 --- a/core/server/api/users.js +++ b/core/server/api/users.js @@ -4,7 +4,6 @@ var when = require('when'), settings = require('./settings'), canThis = require('../permissions').canThis, ONE_DAY = 86400000, - filteredAttributes = ['password'], users; @@ -23,21 +22,10 @@ users = { // **returns:** a promise for a collection of users in a json object return canThis(this.user).browse.user().then(function () { return dataProvider.User.findAll(options).then(function (result) { - var omitted = {}, - i; - - if (result) { - omitted = result.toJSON(); - } - - for (i = 0; i < omitted.length; i = i + 1) { - omitted[i] = _.omit(omitted[i], filteredAttributes); - } - - return { users: omitted }; + return { users: result.toJSON() }; }); }, function () { - return when.reject({type: 'NotFound', message: 'You do not have permission to browse users.'}); + return when.reject({type: 'NoPermission', message: 'You do not have permission to browse users.'}); }); }, @@ -51,8 +39,7 @@ users = { return dataProvider.User.findOne(args).then(function (result) { if (result) { - var omitted = _.omit(result.toJSON(), filteredAttributes); - return { users: [omitted] }; + return { users: [result.toJSON()] }; } return when.reject({type: 'NotFound', message: 'User not found.'}); @@ -69,8 +56,7 @@ users = { return dataProvider.User.edit(checkedUserData.users[0], {user: self.user}); }).then(function (result) { if (result) { - var omitted = _.omit(result.toJSON(), filteredAttributes); - return { users: [omitted]}; + return { users: [result.toJSON()]}; } return when.reject({type: 'NotFound', message: 'User not found.'}); }); @@ -94,8 +80,7 @@ users = { return dataProvider.User.add(checkedUserData.users[0], {user: self.user}); }).then(function (result) { if (result) { - var omitted = _.omit(result.toJSON(), filteredAttributes); - return { users: [omitted]}; + return { users: [result.toJSON()]}; } }); }, function () { @@ -160,4 +145,3 @@ users = { }; module.exports = users; -module.exports.filteredAttributes = filteredAttributes; \ No newline at end of file diff --git a/core/server/models/user.js b/core/server/models/user.js index aac1ec7470..7f07dcd09e 100644 --- a/core/server/models/user.js +++ b/core/server/models/user.js @@ -61,6 +61,14 @@ User = ghostBookshelf.Model.extend({ } }, + toJSON: function (options) { + var attrs = ghostBookshelf.Model.prototype.toJSON.call(this, options); + // remove password hash for security reasons + delete attrs.password; + + return attrs; + }, + posts: function () { return this.hasMany(Posts, 'created_by'); },