Merge pull request #4111 from strongloop/fix-crash-when-replacing-unknown-user

Fix crash when modifying an unknown user
2019-01-11 16:45:50 +01:00 · 2019-01-11 16:45:50 +01:00 · 2992cfbbdf
parent e513019ed5 d4e8116023
commit 2992cfbbdf
2 changed files with 46 additions and 1 deletions
--- a/common/models/user.js
+++ b/common/models/user.js
@ -897,7 +897,14 @@ module.exports = function(User) {
      });
      var emailChanged;
      if (ctx.instance) {
-        emailChanged = ctx.instance.email !== ctx.hookState.originalUserData[0].email;
+        // Check if map does not return an empty array
+        // Fix server crashes when try to PUT a non existent id
+        if (ctx.hookState.originalUserData.length > 0) {
+          emailChanged = ctx.instance.email !== ctx.hookState.originalUserData[0].email;
+        } else {
+          emailChanged = true;
+        }
+
        if (emailChanged && ctx.Model.settings.emailVerificationRequired) {
          ctx.instance.emailVerified = false;
        }
--- a/test/user.integration.js
+++ b/test/user.integration.js
@ -69,6 +69,44 @@ describe('users - integration', function() {
        });
    });

+    it('returns error when replacing user that does not exist', function() {
+      var self = this;
+      var credentials = {email: 'temp@example.com', password: 'pass'};
+      var User = app.models.User;
+      var user;
+
+      // verify that logoutSessionsOnSensitiveChanges is enabled,
+      // otherwise this test always passes
+      expect(app.get('logoutSessionsOnSensitiveChanges')).to.equal(true);
+
+      var hookEnabled = true;
+      User.beforeRemote('replaceOrCreate', function(ctx, unused, next) {
+        // don't affect subsequent tests!
+        if (!hookEnabled) return;
+        hookEnabled = false;
+
+        // Delete the user *AFTER* the PUT request was authorized
+        // but *BEFORE* replaceOrCreate is invoked
+        User.deleteById(user.id, next);
+      });
+
+      return User.create(credentials)
+        .then(function(u) {
+          user = u;
+          return User.login(credentials);
+        })
+        .then(function(token) {
+          return self.post('/api/users/replaceOrCreate')
+            .set('Authorization', token.id)
+            .send({
+              id: user.id,
+              email: 'x@x.com',
+              password: 'x',
+            })
+            .expect(200);
+        });
+    });
+
    it('should create post for a given user', function(done) {
      var url = '/api/users/' + userId + '/posts?access_token=' + accessToken;
      this.post(url)