From 1818a8fb345c127d30f59b28f61590605efe8567 Mon Sep 17 00:00:00 2001
From: Ron Edgecomb <ron.edgecomb@gmail.com>
Date: Wed, 25 Feb 2015 14:48:08 -0500
Subject: [PATCH] Config option to disable legacy explorer routes Setting
 legacyExplorer to false in the loopback config will disable the routes
 /routes and /models made available in loopback.rest. The deprecate module has
 been added to the project with a reference added for the legacyExplorer
 option as it is no longer required by loopback-explorer. Tests added to
 validate functionality of disabled and enabled legacy explorer routes.

---
 server/middleware/rest.js    | 16 +++++++++++----
 test/rest.middleware.test.js | 38 ++++++++++++++++++++++++++++++++++++
 2 files changed, 50 insertions(+), 4 deletions(-)

diff --git a/server/middleware/rest.js b/server/middleware/rest.js
index c2711e36..aa2b29a4 100644
--- a/server/middleware/rest.js
+++ b/server/middleware/rest.js
@@ -4,6 +4,7 @@
 
 var loopback = require('../../lib/loopback');
 var async = require('async');
+var deprecate = require('depd')('loopback');
 
 /*!
  * Export the middleware.
@@ -28,10 +29,17 @@ function rest() {
   return function restApiHandler(req, res, next) {
     var app = req.app;
 
-    if (req.url === '/routes') {
-      return res.send(app.handler('rest').adapter.allRoutes());
-    } else if (req.url === '/models') {
-      return res.send(app.remotes().toJSON());
+    // added for https://github.com/strongloop/loopback/issues/1134
+    if (app.get('legacyExplorer') !== false) {
+      deprecate(
+        'Routes "/methods" and "/models" are considered dangerous and should not be used.\n' +
+        'Disable them by setting "legacyExplorer=false" in "server/config.json" or via "app.set()".'
+      );
+      if (req.url === '/routes') {
+        return res.send(app.handler('rest').adapter.allRoutes());
+      } else if (req.url === '/models') {
+        return res.send(app.remotes().toJSON());
+      }
     }
 
     if (!handlers) {
diff --git a/test/rest.middleware.test.js b/test/rest.middleware.test.js
index 429f3fc8..e608c5b2 100644
--- a/test/rest.middleware.test.js
+++ b/test/rest.middleware.test.js
@@ -164,6 +164,44 @@ describe('loopback.rest', function() {
     }, done);
   });
 
+  it('should report 200 for legacy explorer route /routes', function(done) {
+    app.use(loopback.rest());
+    request(app).get('/routes')
+      .expect(200)
+      .end(function(err, res) {
+        if (err) return done(err);
+        expect(res.body).to.eql([]);
+        done();
+      });
+  });
+
+  it('should report 200 for legacy explorer route /models', function(done) {
+    app.use(loopback.rest());
+    request(app).get('/models')
+      .expect(200)
+      .end(function(err, res) {
+        if (err) return done(err);
+        expect(res.body).to.eql({});
+        done();
+      });
+  });
+
+  it('should report 404 for disabled legacy explorer route /routes', function(done) {
+    app.set('legacyExplorer', false);
+    app.use(loopback.rest());
+    request(app).get('/routes')
+      .expect(404)
+      .end(done);
+  });
+
+  it('should report 404 for disabled legacy explorer route /models', function(done) {
+    app.set('legacyExplorer', false);
+    app.use(loopback.rest());
+    request(app).get('/models')
+      .expect(404)
+      .end(done);
+  });
+
   describe('context propagation', function() {
     var User;