Apply credential stripping to all untransforms for _User

TylerBrock · TylerBrock · commit 13cdbd751a58 · 2016-04-14T14:34:01.000-07:00
diff --git a/spec/RestQuery.spec.js b/spec/RestQuery.spec.js
@@ -7,6 +7,9 @@ var rest = require('../src/rest');
 var querystring = require('querystring');
 var request = require('request');
 
+var DatabaseAdapter = require('../src/DatabaseAdapter');
+var database = DatabaseAdapter.getDatabaseConnection('test', 'test_');
+
 var config = new Config('test');
 var nobody = auth.nobody(config);
 
@@ -35,6 +38,42 @@ describe('rest query', () => {
     });
   });
 
+  describe('query for user w/ legacy credentials', () => {
+    var data = {
+      username: 'blah',
+      password: 'pass',
+      sessionToken: 'abc123',
+    }
+    describe('without masterKey', () => {
+      it('has them stripped from results', (done) => {
+        database.adaptiveCollection('_User').then((collection) => {
+          return collection.insertOne(data);
+        }).then(() => {
+          return rest.find(config, nobody, '_User')
+        }).then((result) => {
+          var user = result.results[0];
+          expect(user.sessionToken).toBeUndefined();
+          expect(user.password).toBeUndefined();
+          done();
+        });
+      });
+    });
+    describe('with masterKey', () => {
+      it('has them stripped from results', (done) => {
+        database.adaptiveCollection('_User').then((collection) => {
+          return collection.insertOne(data);
+        }).then(() => {
+          return rest.find(config, {isMaster: true}, '_User')
+        }).then((result) => {
+          var user = result.results[0];
+          expect(user.sessionToken).toBeUndefined();
+          expect(user.password).toBeUndefined();
+          done();
+        });
+      });
+    });
+  });
+
   // Created to test a scenario in AnyPic
   it('query with include', (done) => {
     var photo = {
diff --git a/src/Controllers/DatabaseController.js b/src/Controllers/DatabaseController.js
@@ -119,12 +119,13 @@ DatabaseController.prototype.untransformObject = function(
     return object;
   }
 
+  delete object.authData;
+  delete object.sessionToken;
+
   if (isMaster || (aclGroup.indexOf(object.objectId) > -1)) {
     return object;
   }
 
-  delete object.authData;
-  delete object.sessionToken;
   return object;
 };
 

Original file line number	Diff line number	Diff line change
`@@ -119,12 +119,13 @@ DatabaseController.prototype.untransformObject = function(`
`119`	`119`	`return object;`
`120`	`120`	`}`
`121`	`121`
	`122`	`+ delete object.authData;`
	`123`	`+ delete object.sessionToken;`
	`124`	`+`
`122`	`125`	`if (isMaster \|\| (aclGroup.indexOf(object.objectId) > -1)) {`
`123`	`126`	`return object;`
`124`	`127`	`}`
`125`	`128`
`126`		`- delete object.authData;`
`127`		`- delete object.sessionToken;`
`128`	`129`	`return object;`
`129`	`130`	`};`
`130`	`131`