ebarault · March 9, 2017 13:08
diff --git a/protectUserId.js b/protectUserId.js
 'use strict';

 /**
 * Add before safe hook and validation to all custom models with an userId property to prevent changing userId
 * properties by non-admin users.
 */

 const USER_ID_PROPERTY = 'userId';
 const INVALID_USER_ID = -1;

 function getBeforeSaveHook(app) {
  return (ctx, next) => {
    const accessToken = ctx.options.accessToken;
    const userId = accessToken && accessToken.userId;

    const data = ctx.instance || ctx.data;

    if (data.hasOwnProperty(USER_ID_PROPERTY) && data.userId !== userId) {
      const Role = app.models.Role;
      const RoleMapping = app.models.RoleMapping;

      Role.isInRole('admin', { principalType: RoleMapping.USER, principalId: userId }, (err, isInRole) => {
        if (err) return next(err);
        if (!isInRole) data.userId = INVALID_USER_ID;
        next();
      });
    } else {
      next();
    }
  };
 }

 module.exports = function(app) {

  const builtInModels = ['User', 'AccessToken', 'ACL', 'RoleMapping', 'Role'];
  const patchedModels = [];

  for (let model in app.models) {
    if (!app.models.hasOwnProperty(model)) continue;

    // Don't patch in-built models.
    if (builtInModels.indexOf(model) !== -1) continue;

    model = app.models[model];

    // Patch models only once.
    if (patchedModels.indexOf(model) !== -1) continue;

    if (model.definition.properties[USER_ID_PROPERTY]) {
      model.observe('before save', getBeforeSaveHook(app));
      model.validatesExclusionOf(USER_ID_PROPERTY, { in: [INVALID_USER_ID], message: 'Invalid userId.' });
      patchedModels.push(model);
    }
  }

 };
	'use strict';

	/**
	* Add before safe hook and validation to all custom models with an userId property to prevent changing userId
	* properties by non-admin users.
	*/

	const USER_ID_PROPERTY = 'userId';
	const INVALID_USER_ID = -1;

	function getBeforeSaveHook(app) {
	return (ctx, next) => {
	const accessToken = ctx.options.accessToken;
	const userId = accessToken && accessToken.userId;

	const data = ctx.instance \|\| ctx.data;

	if (data.hasOwnProperty(USER_ID_PROPERTY) && data.userId !== userId) {
	const Role = app.models.Role;
	const RoleMapping = app.models.RoleMapping;

	Role.isInRole('admin', { principalType: RoleMapping.USER, principalId: userId }, (err, isInRole) => {
	if (err) return next(err);
	if (!isInRole) data.userId = INVALID_USER_ID;
	next();
	});
	} else {
	next();
	}
	};
	}

	module.exports = function(app) {

	const builtInModels = ['User', 'AccessToken', 'ACL', 'RoleMapping', 'Role'];
	const patchedModels = [];

	for (let model in app.models) {
	if (!app.models.hasOwnProperty(model)) continue;

	// Don't patch in-built models.
	if (builtInModels.indexOf(model) !== -1) continue;

	model = app.models[model];

	// Patch models only once.
	if (patchedModels.indexOf(model) !== -1) continue;

	if (model.definition.properties[USER_ID_PROPERTY]) {
	model.observe('before save', getBeforeSaveHook(app));
	model.validatesExclusionOf(USER_ID_PROPERTY, { in: [INVALID_USER_ID], message: 'Invalid userId.' });
	patchedModels.push(model);
	}
	}

	};