Merge pull request #3917 from mcitdev/master

Fix crash in User model's "before delete" hook
2018-06-29 15:27:39 +02:00 · 2018-06-29 15:27:39 +02:00 · 95bcf035a8
parent 9c554fd4f0 37e57f6943
commit 95bcf035a8
2 changed files with 20 additions and 0 deletions
--- a/common/models/user.js
+++ b/common/models/user.js
@ -346,6 +346,9 @@ module.exports = function(User) {
  };

  User.observe('before delete', function(ctx, next) {
+    // Do nothing when the access control was disabled for this user model.
+    if (!ctx.Model.relations.accessTokens) return next();
+
    var AccessToken = ctx.Model.relations.accessTokens.modelTo;
    var pkName = ctx.Model.definition.idName() || 'id';
    ctx.Model.find({where: ctx.where, fields: [pkName]}, function(err, list) {
--- a/test/user.test.js
+++ b/test/user.test.js
@ -299,6 +299,23 @@ describe('User', function() {
      });
    });

+    it('skips token invalidation when the relation is not configured', () => {
+      const app = loopback({localRegistry: true, loadBuiltinModels: true});
+      app.dataSource('db', {connector: 'memory'});
+
+      const PrivateUser = app.registry.createModel({
+        name: 'PrivateUser',
+        base: 'User',
+        // Speed up the password hashing algorithm for tests
+        saltWorkFactor: 4,
+      });
+      app.model(PrivateUser, {dataSource: 'db'});
+
+      return PrivateUser.create({email: 'private@example.com', password: 'pass'})
+        .then(u => PrivateUser.deleteById(u.id));
+      // the test passed when the operation did not crash
+    });
+
    it('invalidates the user\'s accessToken when the user is deleted all', function(done) {
      var userIds = [];
      var users;