Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

restrict-to-owner does not allow Service.remove(null) from internal systems #301

Closed
joelkoz opened this Issue Oct 4, 2016 · 1 comment

Comments

Projects
None yet
2 participants
@joelkoz
Copy link

joelkoz commented Oct 4, 2016

In the restrict-to-owner hook, the code that allows authorization checks to be by-passed for internal system calls:

if (!hook.params.provider) { return hook; }

is currently done AFTER the check to see if a hook.id was passed in:

if (!hook.id) { throw new errors.MethodNotAllowed('The restrictToOwner hook should only be used on the 'get', 'update', 'patch' and 'remove' service methods.'); }

This prevents an internal service from calling service.remove(null) to delete the entire collection. The order of the two checks should be reversed.

@daffl

This comment has been minimized.

Copy link
Member

daffl commented Oct 31, 2016

This has been closed via #335 and released in v0.7.11.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.