diff --git a/modules/users/server/controllers/users/users.profile.server.controller.js b/modules/users/server/controllers/users/users.profile.server.controller.js index 9d2967e270..d6ed3b4467 100644 --- a/modules/users/server/controllers/users/users.profile.server.controller.js +++ b/modules/users/server/controllers/users/users.profile.server.controller.js @@ -12,6 +12,8 @@ var _ = require('lodash'), config = require(path.resolve('./config/config')), User = mongoose.model('User'); +var whitelistedFields = ['firstName', 'lastName', 'email', 'username']; + /** * Update user details */ @@ -19,15 +21,10 @@ exports.update = function (req, res) { // Init Variables var user = req.user; - // For security measurement we remove the roles from the req.body object - delete req.body.roles; - - // For security measurement do not use _id from the req.body object - delete req.body._id; - if (user) { - // Merge existing user - user = _.extend(user, req.body); + // Update whitelisted fields only + user = _.extend(user, _.pick(req.body, whitelistedFields)); + user.updated = Date.now(); user.displayName = user.firstName + ' ' + user.lastName; diff --git a/modules/users/tests/server/user.server.routes.tests.js b/modules/users/tests/server/user.server.routes.tests.js index 2d59d4d3a7..7fbb05efde 100644 --- a/modules/users/tests/server/user.server.routes.tests.js +++ b/modules/users/tests/server/user.server.routes.tests.js @@ -807,6 +807,54 @@ describe('User CRUD tests', function () { }); }); + it('should not be able to update secure fields', function (done) { + var resetPasswordToken = 'password-reset-token'; + user.resetPasswordToken = resetPasswordToken; + + user.save(function (saveErr) { + if (saveErr) { + return done(saveErr); + } + agent.post('/api/auth/signin') + .send(credentials) + .expect(200) + .end(function (signinErr, signinRes) { + // Handle signin error + if (signinErr) { + return done(signinErr); + } + var userUpdate = { + password: 'Aw3$0m3P@ssWord', + salt: 'newsaltphrase', + created: new Date(2000, 9, 9), + resetPasswordToken: 'tweeked-reset-token' + }; + + // Get own user details + agent.put('/api/users') + .send(userUpdate) + .expect(200) + .end(function (err, res) { + if (err) { + return done(err); + } + + User.findById(user._id, function (dbErr, updatedUser) { + if (dbErr) { + return done(dbErr); + } + + updatedUser.password.should.be.equal(user.password); + updatedUser.salt.should.be.equal(user.salt); + updatedUser.created.getTime().should.be.equal(user.created.getTime()); + updatedUser.resetPasswordToken.should.be.equal(resetPasswordToken); + done(); + }); + }); + }); + }); + }); + it('should not be able to update own user details if not logged-in', function (done) { user.roles = ['user'];