Add very basic filtering support

And prefix the filters with a [simple] in the query parameter, to allow more complex filtering strategies later.
ethanresnick · Apr 9, 2015 · 2461e9a · 2461e9a
1 parent 5adb06f
commit 2461e9a
Show file tree

Hide file tree

Showing 5 changed files with 30 additions and 4 deletions.
diff --git a/build/src/adapters/Mongoose/MongooseAdapter.js b/build/src/adapters/Mongoose/MongooseAdapter.js
@@ -45,6 +45,8 @@ var LinkObject = _interopRequire(require("../../types/LinkObject"));
 
 var APIError = _interopRequire(require("../../types/APIError"));
 
+var polyfill = _interopRequire(require("babel/polyfill"));
+
 var MongooseAdapter = (function () {
   function MongooseAdapter(models, inflector, idGenerator) {
     _classCallCheck(this, MongooseAdapter);
@@ -98,6 +100,14 @@ var MongooseAdapter = (function () {
           queryBuilder.sort(sorts.join(" "));
         }
 
+        // filter out invalid records with simple fields equality.
+        // note that there's a non-trivial risk of sql-like injection here.
+        // we're mostly protected by the fact that we're treating the filter's
+        // value as a single string, though, and not parsing as JSON.
+        if (typeof filters === "object" && !Array.isArray(filters)) {
+          queryBuilder.where(filters);
+        }
+
         // in an ideal world, we'd use mongoose here to filter the fields before
         // querying. But, because the fields to filter can be scoped by type and
         // we don't always know about a document's type until after query (becuase

diff --git a/build/src/steps/do-query/do-get.js b/build/src/steps/do-query/do-get.js
@@ -24,7 +24,10 @@ module.exports = function (requestContext, responseContext, registry) {
   if (!requestContext.aboutLinkObject) {
     fields = parseFields(requestContext.queryParams.fields);
     sorts = parseSorts(requestContext.queryParams.sort);
+    // just support a "simple" filtering strategy for now.
+    filters = requestContext.queryParams.filter && requestContext.queryParams.filter.simple;
     includes = parseCommaSeparatedParam(requestContext.queryParams.include);
+
     if (!includes) {
       includes = registry.defaultIncludes(type);
     }

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "json-api",
-  "version": "2.2.1",
+  "version": "2.2.2",
   "description": "A library for constructing JSON-API compliant responses",
   "homepage": "https://github.com/ethanresnick/json-api",
   "repository": {

diff --git a/src/adapters/Mongoose/MongooseAdapter.js b/src/adapters/Mongoose/MongooseAdapter.js
@@ -6,10 +6,11 @@ import {forEachArrayOrVal, objectIsEmpty, mapArrayOrVal, mapResources, groupReso
 import * as util from "./lib"
 import pluralize from "pluralize"
 import Resource from "../../types/Resource"
-import Collection from "../../types/Collection"
-import Linkage from "../../types/Linkage"
-import LinkObject from "../../types/LinkObject"
+import Collection from "../../types/Collection";
+import Linkage from "../../types/Linkage";
+import LinkObject from "../../types/LinkObject";
 import APIError from "../../types/APIError";
+import polyfill from "babel/polyfill";
 
 export default class MongooseAdapter {
   constructor(models, inflector, idGenerator) {
@@ -55,6 +56,14 @@ export default class MongooseAdapter {
       queryBuilder.sort(sorts.join(" "));
     }
 
+    // filter out invalid records with simple fields equality.
+    // note that there's a non-trivial risk of sql-like injection here.
+    // we're mostly protected by the fact that we're treating the filter's
+    // value as a single string, though, and not parsing as JSON.
+    if(typeof filters === "object" && !Array.isArray(filters)) {
+      queryBuilder.where(filters);
+    }
+
     // in an ideal world, we'd use mongoose here to filter the fields before
     // querying. But, because the fields to filter can be scoped by type and
     // we don't always know about a document's type until after query (becuase

diff --git a/src/steps/do-query/do-get.js b/src/steps/do-query/do-get.js
@@ -11,7 +11,11 @@ export default function(requestContext, responseContext, registry) {
   if(!requestContext.aboutLinkObject) {
     fields = parseFields(requestContext.queryParams.fields);
     sorts  = parseSorts(requestContext.queryParams.sort);
+    // just support a "simple" filtering strategy for now.
+    filters = requestContext.queryParams.filter &&
+                requestContext.queryParams.filter.simple;
     includes = parseCommaSeparatedParam(requestContext.queryParams.include);
+
     if(!includes) {
       includes = registry.defaultIncludes(type);
     }