BUG: fix admin access (blocking user PUT)

meanjs · Jul 28, 2015 · 839f805 · 839f805
1 parent 460ef53
commit 839f805
Show file tree

Hide file tree

Showing 5 changed files with 26 additions and 11 deletions.
diff --git a/modules/users/server/controllers/admin.server.controller.js b/modules/users/server/controllers/admin.server.controller.js
@@ -74,6 +74,12 @@ exports.list = function (req, res) {
  * User middleware
  */
 exports.userByID = function (req, res, next, id) {
+	if (!mongoose.Types.ObjectId.isValid(id)) {
+		return res.status(400).send({
+			message: 'User is invalid'
+		});
+	}
+
 	User.findById(id, '-salt -password').exec(function (err, user) {
 		if (err) return next(err);
 		if (!user) return next(new Error('Failed to load user ' + id));

diff --git a/modules/users/server/controllers/users/users.authorization.server.controller.js b/modules/users/server/controllers/users/users.authorization.server.controller.js
@@ -10,10 +10,16 @@ var _ = require('lodash'),
 /**
  * User middleware
  */
-exports.userByID = function(req, res, next, id) {
+exports.userByID = function (req, res, next, id) {
+	if (!mongoose.Types.ObjectId.isValid(id)) {
+		return res.status(400).send({
+			message: 'User is invalid'
+		});
+	}
+
 	User.findOne({
 		_id: id
-	}).exec(function(err, user) {
+	}).exec(function (err, user) {
 		if (err) return next(err);
 		if (!user) return next(new Error('Failed to load User ' + id));
 		req.profile = user;

diff --git a/.../server/policies/admin.server.policies.js → ...rs/server/policies/admin.server.policy.js b/.../server/policies/admin.server.policies.js → ...rs/server/policies/admin.server.policy.js
@@ -9,7 +9,7 @@ var acl = require('acl');
 acl = new acl(new acl.memoryBackend());
 
 /**
- * Invoke Articles Permissions
+ * Invoke Admin Permissions
  */
 exports.invokeRolesPolicies = function () {
 	acl.allow([{

diff --git a/modules/users/server/routes/admin.server.routes.js b/modules/users/server/routes/admin.server.routes.js
@@ -3,19 +3,22 @@
 /**
  * Module dependencies.
  */
-var adminPolicy = require('../policies/admin.server.policies'),
+var adminPolicy = require('../policies/admin.server.policy'),
 	admin = require('../controllers/admin.server.controller');
 
 module.exports = function (app) {
+	// User route registration first. Ref: #713
+	require('./users.server.routes.js')(app);
+
 	// Users collection routes
-	app.route('/api/users').all(adminPolicy.isAllowed)
-		.get(admin.list);
+	app.route('/api/users')
+		.get(adminPolicy.isAllowed, admin.list);
 
 	// Single user routes
-	app.route('/api/users/:userId').all(adminPolicy.isAllowed)
-		.get(admin.read)
-		.put(admin.update)
-		.delete(admin.delete);
+	app.route('/api/users/:userId')
+		.get(adminPolicy.isAllowed, admin.read)
+		.put(adminPolicy.isAllowed, admin.update)
+		.delete(adminPolicy.isAllowed, admin.delete);
 
 	// Finish by binding the user middleware
 	app.param('userId', admin.userByID);

diff --git a/modules/users/server/routes/users.server.routes.js b/modules/users/server/routes/users.server.routes.js
@@ -1,6 +1,6 @@
 'use strict';
 
-module.exports = function(app) {
+module.exports = function (app) {
 	// User Routes
 	var users = require('../controllers/users.server.controller');