Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
restrict-to-owner does not allow Service.remove(null) from internal systems #301
In the restrict-to-owner hook, the code that allows authorization checks to be by-passed for internal system calls:
is currently done AFTER the check to see if a hook.id was passed in:
This prevents an internal service from calling service.remove(null) to delete the entire collection. The order of the two checks should be reversed.