prevent unsupported operation call (#154)

prevent unsupported operation call
yahoo · Sep 6, 2016 · 84115b2 · 84115b2
1 parent ea92871
commit 84115b2
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 1 deletion.
diff --git a/libs/fetcher.js b/libs/fetcher.js
@@ -6,6 +6,7 @@
 var OP_READ = 'read';
 var OP_CREATE = 'create';
 var OP_UPDATE = 'update';
+var OP_DELETE = 'delete';
 var GET = 'GET';
 var qs = require('querystring');
 var debug = require('debug')('Fetchr');
@@ -421,8 +422,16 @@ Fetcher.middleware = function (options) {
                 error.source = 'fetchr';
                 return next(error);
             }
+            var operation = singleRequest.operation;
+            if(operation !== OP_CREATE && operation !== OP_UPDATE && operation !== OP_DELETE && operation !== OP_READ) {
+                error = fumble.http.badRequest('Invalid Fetchr Access', {
+                    debug: 'Unsupported operation : operation must be create or read or update or delete'
+                });
+                error.source = 'fetchr';
+                return next(error);
+            }
             serviceMeta = [];
-            request = new Request(singleRequest.operation, singleRequest.resource, {
+            request = new Request(operation, singleRequest.resource, {
                 req: req,
                 serviceMeta: serviceMeta,
                 statsCollector: options.statsCollector

diff --git a/tests/unit/libs/fetcher.js b/tests/unit/libs/fetcher.js
@@ -599,6 +599,16 @@ describe('Server Fetcher', function () {
                     }
                 }}, 'Bad resource invalid*Service', done);
             });
+            it('should handle unsupported operation', function (done) {
+                makeInvalidReqTest({method: 'POST', body: {
+                    requests: {
+                        g0: {
+                            resource: mockErrorService.name,
+                            operation: 'constructor'
+                        }
+                    }
+                }}, 'Unsupported operation : operation must be create or read or update or delete', done);
+            });
             it('should skip POST request with empty req.body.requests object', function (done) {
                 makeInvalidReqTest({method: 'POST', body: { requests: {}}}, 'No resources', done);
             });