Skip to content
This repository has been archived by the owner on Aug 30, 2021. It is now read-only.

[bug] Article edit/remove buttons ng-show logic uses user._id #1146

Closed
mleanos opened this issue Jan 17, 2016 · 0 comments · Fixed by #1149
Closed

[bug] Article edit/remove buttons ng-show logic uses user._id #1146

mleanos opened this issue Jan 17, 2016 · 0 comments · Fixed by #1149

Comments

@mleanos
Copy link
Member

mleanos commented Jan 17, 2016

This line, in the Article edit view, is attempting to validate if the current User is the owner of the Article being edited. Since we're not storing the User's _id field on the client-side User object any longer, it cannot evaluate properly.

To reproduce this...

  1. Login with a User that has created Article(s) (or create an Article after log in).
  2. Go to an article that the user owns and you'll see that the edit & remove buttons are present
  3. Do a hard refresh of the browser (Ctrl+F5), and you'll see the button are now gone

I know the decision to remove the _id field from the client-side User object was intentional, for security reasons. I'm unclear as to the exact implications of having the _id field; can someone shed light on that for me?

A simple, but hackish way of fixing this would be to compare the User's username field, with the Articles user.username field; which means we'd have to populate the latter on the Article object when we retrieve it from the database.

A better solution that comes to mind is to handle the validation in the controller, by retrieving the User's info from the back-end & then setting a property on the view model (vm) that specifies if they own the document. This option requires more changes than the simple solution I described above, but is probably better practice.
Something like this..

function isArticleOwner() {
  // we need to load the user from the backend somehow
  // maybe, with a resolve User in the client route config
  if (user._id.toString() === article.user._id.toString()) {
    return true;
  } else {
    return false;
  }
}

Any ideas?
@mleanos mleanos mentioned this issue Jan 18, 2016
Merged
@0x24a537r9 0x24a537r9 mentioned this issue Jan 31, 2016
Closed
mleanos added a commit to mleanos/mean that referenced this issue Feb 8, 2016
@mleanos
fix(articles): Article edit/delete validation
69b8a05 
Adds a custom field named `isCurrentUserOwner` to the Article document before
it's returned to the client. This field is used to determine if the current
User should is the "owner", and should see the edit/delete controls on the
client-side when viewing a single article. This custom (ad-hoc) field is NOT
persisted to the database; it's merely attached to the document.

Added server-side route tests for verifying the ad-hoc
"isCurrentUserOwner" field is properly set on the a single Article document.

Fixes meanjs#1146
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(articles): Article edit/delete validation mleanos/mean
1 participant
@mleanos