Rework browser tests to run in Headless Chrome instead of PhantomJS,
because the latter is no longer maintained.
This allows us to remove transpilation to ES5 via babelify, which
significantly improves speed of our tests.
Signed-off-by: Miroslav Bajtoš <mbajtoss@gmail.com>
AppDynamics injects a proxy object into the router stack, which it
uses for its network analysis. This is similar to how NewRelic
adds a sentinel handler to the router stack. This commit adds a
similar workaround so that loopback can find the original layer.
Fix AccessToken's method tokenIdForRequest to treat an empty string
as if no access token was provided.
This is needed to accomodate the changes made in
loopback-datasource-juggler@2.56.0.
Update User's "before delete" hook to take into account the case when
the related AccessToken model was not configured in the application
(attached to a datasource).
Fix the owner role resolver to correctly handle the case when a user
from one model (e.g. Seller) is accessing an instance of another
user-like model (e.g. Customer).
Add API allowing applications to hide a Model from the
REST API and remove all references to it, allowing Garbage Collector
to claim all memory used by the model.
Before this change, when the test failed, the rejected promise
was not reported back to mocha and triggered "unhandled promise
rejection" warning only.
For scoped or related create method, the createOnlyInstance flag should
be calculated on the target model. For example, User.createAccessTokens
should set the flag only if AccessToken has updateonly properties.
Fix the code extracting current user id from the access token provided
in the HTTP request, to allow only access tokens created by the target
user models to execute the action.
This fixes the following security vulnerability:
* We have two user models, e.g. Admin and Customer
* We have an Admin instance and a Customer instance with the same
id and the same password.
* The Customer can change Admin's password using their
regular access token.
Fix the code extracting current user id from the access token provided
in the HTTP request, to allow only access tokens created by the target
user models to execute the action.
This fixes the following security vulnerability:
* A UserA with id 1 (for example), requires a resetToken1
* A UserB with the same id requires a resetToken2.
* Using resetToken2, use the UserAs/reset-password endpoint and change
the password of UserA and/or vice-versa.
Sujesh T
Nora
Miroslav Bajtoš
Hage Yaapa
Maxim Sharai
Agnes Lin
Diana Lau
Mike Li
Matheus Horstmann
andrey-abramow
Raymond Feng
Moshe Malka
Mohammed Essehemy
lchaglla
virkt25
mcitdev
wolrajhti
Kevin Scroggins
Kevin Delisle
Zak Barbuto
Justin Ross
Edward Choh
bmatson
Samuel Reed
CSLTech
Raymond Feng