Skip to content

Instantly share code, notes, and snippets.

@davidworkman9

davidworkman9/allowPositional.js

Last active August 29, 2015 13:56
Show Gist options
  • Save davidworkman9/9273637 to your computer and use it in GitHub Desktop.
Save davidworkman9/9273637 to your computer and use it in GitHub Desktop.
Download ZIP
Proposal for how the positional operator could be allowed in untrusted code in Meteor
Raw
allowPositional.js
function allowedSelector(selector, updateStatement) {
var selectors = [];
var allowed = true;
_.each(Object.keys(selector), function (key) {
var matcher;
if (key !== '_id') {
var parts = key.split('.')
matcher = parts.length > 1 ? new RegExp('^' + escapeRegex(parts[0] + '.$.') + '[A-Za-z]+$') :
new RegExp('^' + escapeRegex(parts[0] + '.$') + '$');
if (!usesKey(matcher updateStatement)) {
allowed = false;
}
}
});
return allowed;
function usesKey(matcher, obj) {
var keyUsed = false;
_.each(Object.keys(obj), function (k) {
if (typeof obj[k] === 'object') {
if(usesKey(matcher, obj[k])) {
keyUsed = true;
}
} else if (matcher.test(k)) {
keyUsed = true;
}
});
return keyUsed;
}
}
Raw
doUpdate.js
function update(selector, modifier, options) {
var doc = this.findOne({ _id: selector._id });
// assuming this is somewhat how allow/deny is done..
if (doc) {
var deny = false;
_.each(denys, function (d) {
if(d(this.userId, doc, fieldNames, modifier))
deny = true;
});
if(!deny) {
var allowed = false;
_.each(allows, function (a) {
if(a(this.userId, doc, fieldNames, modifier)))
allowed = true;
});
if(allowed) {
this.update(selector, modifier, options);
}
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment