From 09e269b7b29bbf7cde9dc839f96468fc8e1ef756 Mon Sep 17 00:00:00 2001 From: devonatdomandtom Date: Fri, 19 Aug 2016 18:22:04 -0400 Subject: [PATCH 1/4] Update read-only.js Added check to see if body is empty to prevent sql error 'syntax error at or near "WHERE"' --- lib/read-only.js | 27 +++++++++++++++------------ 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/lib/read-only.js b/lib/read-only.js index a8c6797..225bb3f 100644 --- a/lib/read-only.js +++ b/lib/read-only.js @@ -11,19 +11,22 @@ module.exports = function(Model, options) { if (!body) { return next(); } + //set default error + var err = new Error('Unable to update: ' + Model.modelName + ' is read only.'); + err.statusCode = 403; + var properties = (Object.keys(options).length) ? options : null; - if (properties) { - debug('Creating %s : Read only properties are %j', Model.modelName, properties); - Object.keys(properties).forEach(function(key) { - debug('The \'%s\' property is read only, removing incoming data', key); - delete body[key]; - }); - next(); - } else { - var err = new Error('Unable to update: ' + Model.modelName + ' is read only.'); - err.statusCode = 403; - next(err); - } + if (!properties) return next(err); + debug('Creating %s : Read only properties are %j', Model.modelName, properties); + Object.keys(properties).forEach(function(key) { + debug('The \'%s\' property is read only, removing incoming data', key); + delete body[key]; + }); + //check if the request is empty + if (!Object.keys(body).length) return next(err); + + next(); + }; // Make sure emailVerified is not set by creation From 10a3b3e52e80b91014ccd4eb2bf3663cc76c385c Mon Sep 17 00:00:00 2001 From: devonatdomandtom Date: Fri, 19 Aug 2016 18:27:01 -0400 Subject: [PATCH 2/4] Update read-only.js Removing whitespace --- lib/read-only.js | 4 ---- 1 file changed, 4 deletions(-) diff --git a/lib/read-only.js b/lib/read-only.js index 225bb3f..4227b60 100644 --- a/lib/read-only.js +++ b/lib/read-only.js @@ -11,10 +11,8 @@ module.exports = function(Model, options) { if (!body) { return next(); } - //set default error var err = new Error('Unable to update: ' + Model.modelName + ' is read only.'); err.statusCode = 403; - var properties = (Object.keys(options).length) ? options : null; if (!properties) return next(err); debug('Creating %s : Read only properties are %j', Model.modelName, properties); @@ -22,9 +20,7 @@ module.exports = function(Model, options) { debug('The \'%s\' property is read only, removing incoming data', key); delete body[key]; }); - //check if the request is empty if (!Object.keys(body).length) return next(err); - next(); }; From e145967e44d7c917b49d4c1d6f462b5f2e10eeb6 Mon Sep 17 00:00:00 2001 From: devonatdomandtom Date: Fri, 19 Aug 2016 18:30:16 -0400 Subject: [PATCH 3/4] Update read-only.js Removing last trailing whitespace --- lib/read-only.js | 1 - 1 file changed, 1 deletion(-) diff --git a/lib/read-only.js b/lib/read-only.js index 4227b60..651eeea 100644 --- a/lib/read-only.js +++ b/lib/read-only.js @@ -22,7 +22,6 @@ module.exports = function(Model, options) { }); if (!Object.keys(body).length) return next(err); next(); - }; // Make sure emailVerified is not set by creation From a3dd249d23b274174ca7e2bc0d3c0102f4eb8a0c Mon Sep 17 00:00:00 2001 From: DeVon Jackson Date: Wed, 31 Aug 2016 10:11:53 -0700 Subject: [PATCH 4/4] added allowed roles property --- lib/read-only.js | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/lib/read-only.js b/lib/read-only.js index 651eeea..d048e96 100644 --- a/lib/read-only.js +++ b/lib/read-only.js @@ -1,4 +1,5 @@ var debug = require('debug')('loopback-ds-readonly-mixin'); +var _ = require("lodash"); module.exports = function(Model, options) { 'use strict'; @@ -7,18 +8,30 @@ module.exports = function(Model, options) { // Make sure emailVerified is not set by creation Model.stripReadOnlyProperties = function(ctx, modelInstance, next) { + var body = ctx.req.body; if (!body) { return next(); } - var err = new Error('Unable to update: ' + Model.modelName + ' is read only.'); + + var currentUser = ctx.req.currentUser; + if (currentUser && options.allowedRoles) { + var roleNames = _.map(currentUser.toObject().roles, 'name'); + var allowed = _.intersection(options.allowedRoles, roleNames); + if (allowed.length) return next(); + } + + var err = new Error('Unable to update: ' + Model.modelName + ' property is read only'); err.statusCode = 403; + var properties = (Object.keys(options).length) ? options : null; if (!properties) return next(err); debug('Creating %s : Read only properties are %j', Model.modelName, properties); Object.keys(properties).forEach(function(key) { - debug('The \'%s\' property is read only, removing incoming data', key); - delete body[key]; + if (key !== "allowedRoles") { + debug('The \'%s\' property is read only, removing incoming data', key); + delete body[key]; + } }); if (!Object.keys(body).length) return next(err); next();