Commit Graph

684 Commits

Author SHA1 Message Date
Diana Lau f788aae464 chore: update copyright year 2020-01-21 14:19:18 -05:00
Sujesh T b93187b0f9 feat: change hasone relation error message
The current hasone error message is not appropriate one.
So adds a better message.
2019-12-02 23:28:02 +05:30
Nora aa76a19e33 chore: fix eslint violations
Fix comma-dangle violations.
2019-11-17 14:04:57 -05:00
Miroslav Bajtoš 82cd6681f6
fixup! manual fixes
Signed-off-by: Miroslav Bajtoš <mbajtoss@gmail.com>
2019-10-07 11:54:59 +02:00
Miroslav Bajtoš 397d141036
fixup! eslint --fix .
Signed-off-by: Miroslav Bajtoš <mbajtoss@gmail.com>
2019-10-07 11:54:59 +02:00
Miroslav Bajtoš dd6d2a5e6c
chore: update chai to v4, dirty-chai to v2
Signed-off-by: Miroslav Bajtoš <mbajtoss@gmail.com>
2019-10-07 11:54:59 +02:00
Miroslav Bajtoš 387835faef
test: use Chromium (not Chrome) when available
Signed-off-by: Miroslav Bajtoš <mbajtoss@gmail.com>
2019-10-01 09:27:03 +02:00
Miroslav Bajtoš 8311138f3e
test: disable Chrome sandboxing when inside Docker
See the discussion in
https://github.com/docker/for-linux/issues/496

Signed-off-by: Miroslav Bajtoš <mbajtoss@gmail.com>
2019-10-01 09:27:02 +02:00
Miroslav Bajtoš cceb8a3c26
test: switch from PhantomJS to HeadlessChrome
Rework browser tests to run in Headless Chrome instead of PhantomJS,
because the latter is no longer maintained.

This allows us to remove transpilation to ES5 via babelify, which
significantly improves speed of our tests.

Signed-off-by: Miroslav Bajtoš <mbajtoss@gmail.com>
2019-10-01 09:12:17 +02:00
Hage Yaapa 58a0e6c8e9 fix: disallow queries in username and email fields
Username and email fields should not allow queries.
2019-05-30 19:54:01 +05:30
Maxim Sharai e8d115bdc2
Fix Model.exists() to work with remote connector 2019-05-13 15:47:38 +02:00
Agnes Lin 0e0ca455ac chore: update copyrights years 2019-05-06 16:10:57 -04:00
Diana Lau f6ba1afe91 chore: update copyright year 2019-04-17 12:10:45 -04:00
Mike Li edb8dbc517 Support middleware injected by AppDynamics.
AppDynamics injects a proxy object into the router stack, which it
uses for its network analysis.  This is similar to how NewRelic
adds a sentinel handler to the router stack. This commit adds a
similar workaround so that loopback can find the original layer.
2019-01-25 11:12:41 -08:00
Matheus Horstmann 2532b0b67e
Fix crash when modifying an unknown user
Signed-off-by: Matheus Horstmann <mch15@inf.ufpr.br>
Signed-off-by: Miroslav Bajtoš <mbajtoss@gmail.com>
2019-01-11 15:45:00 +01:00
andrey-abramow 71c651123f Fix: treat empty access token string as undefined
Fix AccessToken's method tokenIdForRequest to treat an empty string
as if no access token was provided.

This is needed to accomodate the changes made in
loopback-datasource-juggler@2.56.0.
2018-11-26 13:13:35 +02:00
Raymond Feng f1c613ac07 Set juggler options for remote calls 2018-11-15 08:28:46 -08:00
Miroslav Bajtoš 818a7506d8
Speed up ACL tests by reducing saltWorkFactor 2018-10-25 14:10:49 +02:00
Moshe Malka 29c5f20d90
Fix ACL check to support model wildcard 2018-10-25 14:00:35 +02:00
Mohammed Essehemy e33d10fe44
Clear handler cache when a method is added/removed 2018-10-09 15:03:00 +02:00
lchaglla 2b7b0e1cc1
Add `options.preserveAccessTokens`
Add an option to preserve access tokens when email/password is changed.
2018-10-08 09:28:35 +02:00
Moshe Malka 186ae2ae57
Fix ACL tests to wait until all assertions finish 2018-09-17 14:12:58 +02:00
virkt25 fa644d6a31 chore: update to latest linting rules 2018-09-13 10:08:25 -04:00
virkt25 5ee731eafd chore: update deps + fix linting + .npmrc 2018-08-08 13:31:30 -04:00
mcitdev 37e57f6943
Fix crash in User model's "before delete" hook
Update User's "before delete" hook to take into account the case when
the related AccessToken model was not configured in the application
(attached to a datasource).
2018-06-29 14:51:41 +02:00
wolrajhti cc4fc2197f
fix bug in User.verify when confirm is disabled 2018-05-31 12:40:23 +02:00
Kevin Scroggins b2bc449e24 Add check for undefined user email in setter 2018-05-23 20:00:45 -04:00
Miroslav Bajtoš 2aead13f11
Fix isOwner() bug in multiple-principal setup
Fix the owner role resolver to correctly handle the case when a user
from one model (e.g. Seller) is accessing an instance of another
user-like model (e.g. Customer).
2018-05-18 15:36:59 +02:00
Miroslav Bajtoš 0cd380c590
feat: remove all references to a Model
Add API allowing applications to hide a Model from the
REST API and remove all references to it, allowing Garbage Collector
to claim all memory used by the model.
2018-04-17 09:42:08 +02:00
Miroslav Bajtoš 743b2d1495
Remove forgotten debugger statement 2018-03-22 09:21:44 +01:00
Miroslav Bajtoš f4527c9c91
Fix role check in apps with multiple user models 2018-03-20 14:15:44 +01:00
Miroslav Bajtoš 66497ead70
Merge pull request #3787 from strongloop/fix/dangling-promise-in-test
test: add missing "return" in a promise-style test
2018-02-09 08:20:10 +01:00
Kevin Delisle 386615a1df model: fix infinite loop on nestRemoting
Prevent endless recursion on nestRemoting calls for
two-way model links.
2018-02-08 11:26:02 -05:00
Miroslav Bajtoš 3723f107db
test: add missing "return" in a promise-style test
Before this change, when the test failed, the rejected promise
was not reported back to mocha and triggered "unhandled promise
rejection" warning only.
2018-02-02 14:25:52 +01:00
Raymond Feng d23ff84587
Merge pull request #3784 from zbarbuto/fix/user-status-code
Use statusCode prop for user errors
2018-01-31 15:16:27 -08:00
Zak Barbuto 50e2b49efe Use statusCode prop for user errors 2018-02-01 09:40:13 +10:30
Kevin Scroggins ab791fc258
fix: preserve datasource name
Modify the code creating juggler DataSource objects to correctly
forward the datasource name provided by the user.
2018-01-19 15:58:33 +01:00
Justin Ross 60750b4508
Update Copyright Years
Update copyright years to include 2018
2018-01-16 13:55:02 +01:00
Edward Choh 00169d2312
Support options.filter in createChangeStream
Implement "options.filter" argument in Persisted.createChangeStream()
by leveraging loopback-filter module.
2017-12-14 13:08:28 +01:00
Miroslav Bajtoš 7c030c6900
Merge pull request #3728 from strongloop/update-eslint-config
Update eslint and eslint-config to latest
2017-12-14 13:07:14 +01:00
bmatson 317e00d92c
Update nestRemoting to pass optionsFromContext
Fix the code invoking relation getter to correctly pass through
the "options" argument.
2017-12-12 17:24:35 +01:00
Miroslav Bajtoš 73cc950b1b
Update eslint and eslint-config to latest 2017-12-12 09:33:15 +01:00
Samuel Reed 3af6a1bbaa
fix(test): rem exclusive test
Ref: #3720
2017-12-08 11:14:15 -06:00
Samuel Reed 2bfd67ccaa
fix(test): working test with 0 userId 2017-12-07 10:10:35 -06:00
Samuel Reed b362776e73
fix(AccessContext): Tighten userid/appid checks
An application may have a use for a falsy ID.
2017-12-05 10:03:52 -06:00
CSLTech 1a2d8a4571 Added missing DateString type in loopback index 2017-11-21 11:56:36 -05:00
Miroslav Bajtoš 825d5a6373
Merge tag 'v3.16.1'
Bring in changes from #3674 that were accidentally not landed on master:

 * Fix createOnlyInstance for related methods (Raymond Feng)

Close #3674
2017-10-30 09:00:16 +01:00
Raymond Feng 6570b94843 Fix createOnlyInstance for related methods
For scoped or related create method, the createOnlyInstance flag should
be calculated on the target model. For example, User.createAccessTokens
should set the flag only if AccessToken has updateonly properties.
2017-10-27 18:51:56 -07:00
Miroslav Bajtoš 3996f56ab9
Fix "POST /change-password" for multi-user setup
Fix the code extracting current user id from the access token provided
in the HTTP request, to allow only access tokens created by the target
user models to execute the action.

This fixes the following security vulnerability:

* We have two user models, e.g. Admin and Customer

* We have an Admin instance and a Customer instance with the same
  id and the same password.

* The Customer can change Admin's password using their
  regular access token.
2017-10-27 09:47:07 +02:00
Miroslav Bajtoš 0a2a45512c
Fix "POST /reset-password" for multi-user setup
Fix the code extracting current user id from the access token provided
in the HTTP request, to allow only access tokens created by the target
user models to execute the action.

This fixes the following security vulnerability:

* A UserA with id 1 (for example), requires a resetToken1

* A UserB with the same id requires a resetToken2.

* Using resetToken2, use the UserAs/reset-password endpoint and change
  the password of UserA and/or vice-versa.
2017-10-19 13:29:08 +02:00