From 5f5e8745649dfd2ad812ed7be31a73db7f2a804b Mon Sep 17 00:00:00 2001
From: Loay <loay@users.noreply.github.com>
Date: Tue, 27 Sep 2016 09:16:08 -0400
Subject: [PATCH] Validate non-email property partial update

---
 common/models/user.js |  2 ++
 test/user.test.js     | 37 +++++++++++++++++++++++++++++++++++++
 2 files changed, 39 insertions(+)

diff --git a/common/models/user.js b/common/models/user.js
index 80f6de68..f71b10a4 100644
--- a/common/models/user.js
+++ b/common/models/user.js
@@ -689,7 +689,9 @@ module.exports = function(User) {
     UserModel.observe('after save', function afterEmailUpdate(ctx, next) {
       if (!ctx.Model.relations.accessTokens) return next();
       var AccessToken = ctx.Model.relations.accessTokens.modelTo;
+      if (!ctx.instance && !ctx.data) return next();
       var newEmail = (ctx.instance || ctx.data).email;
+      if (!newEmail) return next();
       if (!ctx.hookState.originalUserData) return next();
       var idsToExpire = ctx.hookState.originalUserData.filter(function(u) {
         return u.email !== newEmail;
diff --git a/test/user.test.js b/test/user.test.js
index 85ed7c45..0fec68f5 100644
--- a/test/user.test.js
+++ b/test/user.test.js
@@ -1977,6 +1977,43 @@ describe('User', function() {
         ], done);
       });
 
+      it('keeps sessions AS IS if non-email property is changed using updateAll', function(done) {
+        var userPartial;
+        async.series([
+          function createPartialUser(next) {
+            User.create(
+              { email: 'partial@example.com', password: 'pass1', age: 25 },
+              function(err, partialInstance) {
+                if (err) return next (err);
+                userPartial = partialInstance;
+                next();
+              });
+          },
+          function loginPartiallUser(next) {
+            User.login({ email: 'partial@example.com', password: 'pass1' }, function(err, ats) {
+              if (err) return next (err);
+              next();
+            });
+          },
+          function updatePartialUser(next) {
+            User.updateAll(
+              { id: userPartial.id },
+              { age: userPartial.age + 1 },
+              function(err, info) {
+                if (err) return next (err);
+                next();
+              });
+          },
+          function verifyTokensOfPartialUser(next) {
+            AccessToken.find({ where: { userId: userPartial.id }}, function(err, tokens1) {
+              if (err) return next (err);
+              expect(tokens1.length).to.equal(1);
+              next();
+            });
+          },
+        ], done);
+      });
+
       function assertPreservedToken(done) {
         AccessToken.find({ where: { userId: user.id }}, function(err, tokens) {
           if (err) return done(err);