Roles.userIsInRole without role returns true

[idanwe]

I'm using enum for my defined roles.
And at one place I misspelled a role UserRole.Supervisor instead of UserRoe.SUPERVISOR
then I found that Roles.userIsInRole(this.userId, undefined, 'real-madrid') returns true.
e.g.

  Roles.addUsersToRoles(userId, UserRole.SUPERVISON, 'barcelona');
  Roles.userIsInRole(userId, UserRole.Supervison, 'real-madrid'); // Supervisor is misspelled lowercase
  > true 

I found it as a security vulnerability.

Do you have some best practice to avoid it?
Is it in purpose?

[mitar]

Which version are you using? 1.0 or 2.0?

[idanwe]

alanning:[email protected]

[idanwe]

@mitar What is the status of v2?

[mitar]

I think it is ready, but it is waiting for @alanning to release it (or release at least release candidate).

[mitar]

I made a test for 2.0 in c5e27a8 and it is returning false for unknown roles.

[mitar]

And for 1.0 I made e486f5a. I cannot reproduce what you are reporting here, so I think you have an issue on your side.