diff --git a/spec/RestQuery.spec.js b/spec/RestQuery.spec.js index 59ed70f0482..a5de88c9779 100644 --- a/spec/RestQuery.spec.js +++ b/spec/RestQuery.spec.js @@ -7,6 +7,9 @@ var rest = require('../src/rest'); var querystring = require('querystring'); var request = require('request'); +var DatabaseAdapter = require('../src/DatabaseAdapter'); +var database = DatabaseAdapter.getDatabaseConnection('test', 'test_'); + var config = new Config('test'); var nobody = auth.nobody(config); @@ -35,6 +38,42 @@ describe('rest query', () => { }); }); + describe('query for user w/ legacy credentials', () => { + var data = { + username: 'blah', + password: 'pass', + sessionToken: 'abc123', + } + describe('without masterKey', () => { + it('has them stripped from results', (done) => { + database.adaptiveCollection('_User').then((collection) => { + return collection.insertOne(data); + }).then(() => { + return rest.find(config, nobody, '_User') + }).then((result) => { + var user = result.results[0]; + expect(user.sessionToken).toBeUndefined(); + expect(user.password).toBeUndefined(); + done(); + }); + }); + }); + describe('with masterKey', () => { + it('has them stripped from results', (done) => { + database.adaptiveCollection('_User').then((collection) => { + return collection.insertOne(data); + }).then(() => { + return rest.find(config, {isMaster: true}, '_User') + }).then((result) => { + var user = result.results[0]; + expect(user.sessionToken).toBeUndefined(); + expect(user.password).toBeUndefined(); + done(); + }); + }); + }); + }); + // Created to test a scenario in AnyPic it('query with include', (done) => { var photo = { diff --git a/src/Controllers/DatabaseController.js b/src/Controllers/DatabaseController.js index de79f28d9d1..0433c29318c 100644 --- a/src/Controllers/DatabaseController.js +++ b/src/Controllers/DatabaseController.js @@ -119,12 +119,13 @@ DatabaseController.prototype.untransformObject = function( return object; } + delete object.authData; + delete object.sessionToken; + if (isMaster || (aclGroup.indexOf(object.objectId) > -1)) { return object; } - delete object.authData; - delete object.sessionToken; return object; };