Fixing roles security issues

Author: amoshaviv

app/controllers/users.server.controller.js

@@ -36,6 +36,9 @@ var getErrorMessage = function(err) {
  * Signup
  */
 exports.signup = function(req, res) {
+	// For security measurement we remove the roles from the req.body object
+	delete req.body.roles;
+	
 	// Init Variables
 	var user = new User(req.body);
 	var message = null;
@@ -44,6 +47,7 @@ exports.signup = function(req, res) {
 	user.provider = 'local';
 	user.displayName = user.firstName + ' ' + user.lastName;
 
+	// Then save the user 
 	user.save(function(err) {
 		if (err) {
 			return res.send(400, {
@@ -96,6 +100,9 @@ exports.update = function(req, res) {
 	var user = req.user;
 	var message = null;
 
+	// For security measurement we remove the roles from the req.body object
+	delete req.body.roles;
+
 	if (user) {
 		// Merge existing user
 		user = _.extend(user, req.body);

config/strategies/google.js

@@ -1,39 +1,39 @@
 'use strict';
 
 var passport = require('passport'),
-	url = require('url'),
-	GoogleStrategy = require('passport-google-oauth').OAuth2Strategy,
-	config = require('../config'),
-	users = require('../../app/controllers/users.server.controller');
+    url = require('url'),
+    GoogleStrategy = require('passport-google-oauth').OAuth2Strategy,
+    config = require('../config'),
+    users = require('../../app/controllers/users.server.controller');
 
 module.exports = function() {
-	// Use google strategy
-	passport.use(new GoogleStrategy({
-			clientID: config.google.clientID,
-			clientSecret: config.google.clientSecret,
-			callbackURL: config.google.callbackPath,
-			passReqToCallback: true
-		},
-		function(req, accessToken, refreshToken, profile, done) {
-			// Set the provider data and include tokens
-			var providerData = profile._json;
-			providerData.accessToken = accessToken;
-			providerData.refreshToken = refreshToken;
-			
-			// Create the user OAuth profile
-			var providerUserProfile = {
-				firstName: profile.name.givenName,
-				lastName: profile.name.familyName,
-				displayName: profile.displayName,
-				email: profile.emails[0].value,
-				username: profile.username,
-				provider: 'google',
-				providerIdentifierField: 'id',
-				providerData: providerData 
-			};
+    // Use google strategy
+    passport.use(new GoogleStrategy({
+            clientID: config.google.clientID,
+            clientSecret: config.google.clientSecret,
+            callbackURL: config.google.callbackPath,
+            passReqToCallback: true
+        },
+        function(req, accessToken, refreshToken, profile, done) {
+            // Set the provider data and include tokens
+            var providerData = profile._json;
+            providerData.accessToken = accessToken;
+            providerData.refreshToken = refreshToken;
 
-			// Save the user OAuth profile
-			users.saveOAuthUserProfile(req, providerUserProfile, done);
-		}
-	));
-};
+            // Create the user OAuth profile
+            var providerUserProfile = {
+                firstName: profile.name.givenName,
+                lastName: profile.name.familyName,
+                displayName: profile.displayName,
+                email: profile.emails[0].value,
+                username: profile.username,
+                provider: 'google',
+                providerIdentifierField: 'id',
+                providerData: providerData
+            };
+
+            // Save the user OAuth profile
+            users.saveOAuthUserProfile(req, providerUserProfile, done);
+        }
+    ));
+};