joe/kami-parse-server
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sanitizes RestWrite.data before passing to inflated object

Browse Source
This commit is contained in:
Florent Vilmart
2016-03-11 23:03:47 -05:00
parent 49531e7efe
commit cadd6fe406
2 changed files with 53 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
spec/ParseUser.spec.js
View File

@@ -2006,5 +2006,23 @@ describe('Parse.User testing', () => {
done(); done();
}) })
}); });
});
it('should aftersave with full object', (done) => {
var hit = 0;
Parse.Cloud.afterSave('_User', (req, res) => {
hit++;
expect(req.object.get('username')).toEqual('User');
res.success();
});
let user = new Parse.User()
user.setUsername('User');
user.setPassword('pass');
user.signUp().then(()=> {
user.set('hello', 'world');
return user.save();
}).then(() => {
Parse.Cloud._removeHook('Triggers', 'afterSave', '_User');
done();
});
})
});

16
src/RestWrite.js
View File

@@ -154,7 +154,7 @@ RestWrite.prototype.runBeforeTrigger = function() {
// This is an update for existing object. // This is an update for existing object.
originalObject = triggers.inflate(extraData, this.originalData); originalObject = triggers.inflate(extraData, this.originalData);
} }
updatedObject.set(Parse._decode(undefined, this.data)); updatedObject.set(this.sanitizedData());
return Promise.resolve().then(() => { return Promise.resolve().then(() => {
return triggers.maybeRunTrigger(triggers.Types.beforeSave, this.auth, updatedObject, originalObject, this.config.applicationId); return triggers.maybeRunTrigger(triggers.Types.beforeSave, this.auth, updatedObject, originalObject, this.config.applicationId);
@@ -770,7 +770,7 @@ RestWrite.prototype.runAfterTrigger = function() {
// Build the inflated object, different from beforeSave, originalData is not empty // Build the inflated object, different from beforeSave, originalData is not empty
// since developers can change data in the beforeSave. // since developers can change data in the beforeSave.
let updatedObject = triggers.inflate(extraData, this.originalData); let updatedObject = triggers.inflate(extraData, this.originalData);
updatedObject.set(Parse._decode(undefined, this.data)); updatedObject.set(this.sanitizedData());
updatedObject._handleSaveResponse(this.response.response, this.response.status || 200); updatedObject._handleSaveResponse(this.response.response, this.response.status || 200);
triggers.maybeRunTrigger(triggers.Types.afterSave, this.auth, updatedObject, originalObject, this.config.applicationId); triggers.maybeRunTrigger(triggers.Types.afterSave, this.auth, updatedObject, originalObject, this.config.applicationId);
@@ -789,5 +789,17 @@ RestWrite.prototype.objectId = function() {
return this.data.objectId || this.query.objectId; return this.data.objectId || this.query.objectId;
}; };
// Returns a copy of the data and delete bad keys (_auth_data, _hashed_password...)
RestWrite.prototype.sanitizedData = function() {
let data = Object.keys(this.data).reduce((data, key) => {
// Regexp comes from Parse.Object.prototype.validate
if (!(/^[A-Za-z][0-9A-Za-z_]*$/).test(key)) {
delete data[key];
}
return data;
}, deepcopy(this.data));
return Parse._decode(undefined, data);
}
export default RestWrite; export default RestWrite;
module.exports = RestWrite; module.exports = RestWrite;