Fix crash when modifying an unknown user

Signed-off-by: Matheus Horstmann <mch15@inf.ufpr.br> Signed-off-by: Miroslav Bajtoš <mbajtoss@gmail.com>
2019-01-08 11:51:21 -02:00 · 2019-01-08 11:51:21 -02:00 · 2532b0b67e
parent 0bb8c23e2d
commit 2532b0b67e
2 changed files with 41 additions and 1 deletions
--- a/common/models/user.js
+++ b/common/models/user.js
@ -1358,7 +1358,14 @@ module.exports = function(User) {
      });
      var emailChanged;
      if (ctx.instance) {
-        emailChanged = ctx.instance.email !== ctx.hookState.originalUserData[0].email;
+        // Check if map does not return an empty array
+        // Fix server crashes when try to PUT a non existent id
+        if (ctx.hookState.originalUserData.length > 0) {
+          emailChanged = ctx.instance.email !== ctx.hookState.originalUserData[0].email;
+        } else {
+          emailChanged = true;
+        }
+
        if (emailChanged && ctx.Model.settings.emailVerificationRequired) {
          ctx.instance.emailVerified = false;
        }
--- a/test/user.integration.js
+++ b/test/user.integration.js
@ -63,6 +63,39 @@ describe('users - integration', function() {
        });
    });

+    it('returns error when replacing user that does not exist', function() {
+      const credentials = {email: 'temp@example.com', password: 'pass'};
+      const User = app.models.User;
+      let user;
+
+      let hookEnabled = true;
+      User.beforeRemote('replaceOrCreate', (ctx, unused, next) => {
+        // don't affect subsequent tests!
+        if (!hookEnabled) return;
+        hookEnabled = false;
+
+        // Delete the user *AFTER* the PUT request was authorized
+        // but *BEFORE* replaceOrCreate is invoked
+        User.deleteById(user.id, next);
+      });
+
+      return User.create(credentials)
+        .then(u => {
+          user = u;
+          return User.login(credentials);
+        })
+        .then(token => {
+          return this.put('/api/users')
+            .set('Authorization', token.id)
+            .send({
+              id: user.id,
+              email: 'x@x.com',
+              password: 'x',
+            })
+            .expect(404);
+        });
+    });
+
    it('should create post for a given user', function(done) {
      var url = '/api/users/' + userId + '/posts?access_token=' + accessToken;
      this.post(url)