Skip to content
This repository has been archived by the owner on Aug 30, 2021. It is now read-only.

Fix(users): Don't update secure profile fields #1421

Merged
merged 2 commits into from
Aug 27, 2016
Merged

Fix(users): Don't update secure profile fields #1421

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
8bfd74a
Fix(users): Don't update secure profile fields
shanavas786 Aug 7, 2016
9a412e1
Refactor variable name
shanavas786 Aug 17, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 5 additions & 8 deletions modules/users/server/controllers/users/users.profile.server.controller.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,22 +12,19 @@ var _ = require('lodash'),
config = require(path.resolve('./config/config')),
User = mongoose.model('User');

var whitelistedFields = ['firstName', 'lastName', 'email', 'username'];

/**
* Update user details
*/
exports.update = function (req, res) {
// Init Variables
var user = req.user;

// For security measurement we remove the roles from the req.body object
delete req.body.roles;

// For security measurement do not use _id from the req.body object
delete req.body._id;

if (user) {
// Merge existing user
user = _.extend(user, req.body);
// Update whitelisted fields only
user = _.extend(user, _.pick(req.body, whitelistedFields));

user.updated = Date.now();
user.displayName = user.firstName + ' ' + user.lastName;

Expand Down
48 changes: 48 additions & 0 deletions modules/users/tests/server/user.server.routes.tests.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -807,6 +807,54 @@ describe('User CRUD tests', function () {
});
});

it('should not be able to update secure fields', function (done) {
var resetPasswordToken = 'password-reset-token';
user.resetPasswordToken = resetPasswordToken;

user.save(function (saveErr) {
if (saveErr) {
return done(saveErr);
}
agent.post('/api/auth/signin')
.send(credentials)
.expect(200)
.end(function (signinErr, signinRes) {
// Handle signin error
if (signinErr) {
return done(signinErr);
}
var userUpdate = {
password: 'Aw3$0m3P@ssWord',
salt: 'newsaltphrase',
created: new Date(2000, 9, 9),
resetPasswordToken: 'tweeked-reset-token'
};

// Get own user details
agent.put('/api/users')
.send(userUpdate)
.expect(200)
.end(function (err, res) {
if (err) {
return done(err);
}

User.findById(user._id, function (dbErr, updatedUser) {
if (dbErr) {
return done(dbErr);
}

updatedUser.password.should.be.equal(user.password);
updatedUser.salt.should.be.equal(user.salt);
updatedUser.created.getTime().should.be.equal(user.created.getTime());
updatedUser.resetPasswordToken.should.be.equal(resetPasswordToken);
done();
});
});
});
});
});

it('should not be able to update own user details if not logged-in', function (done) {
user.roles = ['user'];

Expand Down