Commit Graph

2349 Commits

Author SHA1 Message Date
Miroslav Bajtoš 3723f107db
test: add missing "return" in a promise-style test
Before this change, when the test failed, the rejected promise
was not reported back to mocha and triggered "unhandled promise
rejection" warning only.
2018-02-02 14:25:52 +01:00
Raymond Feng d23ff84587
Merge pull request #3784 from zbarbuto/fix/user-status-code
Use statusCode prop for user errors
2018-01-31 15:16:27 -08:00
Zak Barbuto 50e2b49efe Use statusCode prop for user errors 2018-02-01 09:40:13 +10:30
Taranveer Virk 0eeb99060f 3.18.1
* update: juggler to version including security fix. (Taranveer Virk)
2018-01-31 16:56:12 -05:00
Taranveer Virk 6b4234b18d
Merge pull request #3781 from strongloop/update-juggler
update: juggler to version including security fix.
2018-01-31 16:40:55 -05:00
Taranveer Virk 2c909b8223 update: juggler to version including security fix. 2018-01-31 14:33:37 -05:00
Miroslav Bajtoš c5ff5faf0d
3.18.0
* fix: preserve datasource name (Kevin Scroggins)
 * Update Copyright Years (Justin Ross)
 * Support options.filter in createChangeStream (Edward Choh)
 * fixup! add top-level dep on eslint-plugin-mocha (Miroslav Bajtoš)
 * Update eslint and eslint-config to latest (Miroslav Bajtoš)
2018-01-29 16:36:14 +01:00
Miroslav Bajtoš 60c9dd166b
Merge pull request #3733 from nitro404/hotfix/retain-datasource-name
Fixe data sources not retaining the correct name value
2018-01-19 17:08:22 +01:00
Kevin Scroggins ab791fc258
fix: preserve datasource name
Modify the code creating juggler DataSource objects to correctly
forward the datasource name provided by the user.
2018-01-19 15:58:33 +01:00
Miroslav Bajtoš 72d48c3bfa
Merge pull request #3746 from JustinTRoss/patch-1
Update Copyright Years
2018-01-16 14:36:14 +01:00
Justin Ross 60750b4508
Update Copyright Years
Update copyright years to include 2018
2018-01-16 13:55:02 +01:00
Miroslav Bajtoš 0a4940e31e
Merge pull request #3683 from edwardchoh/master
Support options.filter in createChangeStream
2017-12-14 14:59:14 +01:00
Edward Choh 00169d2312
Support options.filter in createChangeStream
Implement "options.filter" argument in Persisted.createChangeStream()
by leveraging loopback-filter module.
2017-12-14 13:08:28 +01:00
Miroslav Bajtoš 7c030c6900
Merge pull request #3728 from strongloop/update-eslint-config
Update eslint and eslint-config to latest
2017-12-14 13:07:14 +01:00
Miroslav Bajtoš 243af4bfc2
3.17.1
* Update nestRemoting to pass optionsFromContext (bmatson)
 * fix(test): rem exclusive test (Samuel Reed)
 * fix(test): working test with 0 userId (Samuel Reed)
 * fix(AccessContext): Tighten userid/appid checks (Samuel Reed)
 * fix(id): replace with != null (Samuel Reed)
2017-12-12 19:43:30 +01:00
Miroslav Bajtoš b045e4a6be
Merge pull request #3681 from zipitwireless/master
Update nestRemoting to pass optionsFromContext
2017-12-12 19:00:09 +01:00
bmatson 317e00d92c
Update nestRemoting to pass optionsFromContext
Fix the code invoking relation getter to correctly pass through
the "options" argument.
2017-12-12 17:24:35 +01:00
Miroslav Bajtoš 010bbc6369
fixup! add top-level dep on eslint-plugin-mocha 2017-12-12 13:08:05 +01:00
Miroslav Bajtoš 73cc950b1b
Update eslint and eslint-config to latest 2017-12-12 09:33:15 +01:00
Miroslav Bajtoš fdb453943a
Merge pull request #3725 from STRML/fix/exclusive-test
fix(test): rem exclusive test
2017-12-08 20:19:01 +01:00
Samuel Reed 3af6a1bbaa
fix(test): rem exclusive test
Ref: #3720
2017-12-08 11:14:15 -06:00
Miroslav Bajtoš 3bf84bacde
Merge pull request #3720 from STRML/fix/falsy-id-3.x
Fix handling of falsy model ids
2017-12-08 15:24:13 +01:00
Samuel Reed 2bfd67ccaa
fix(test): working test with 0 userId 2017-12-07 10:10:35 -06:00
Samuel Reed b362776e73
fix(AccessContext): Tighten userid/appid checks
An application may have a use for a falsy ID.
2017-12-05 10:03:52 -06:00
Samuel Reed 0bac0a933f
fix(id): replace with != null
Ref: #2356, #2374, #3130, #3693
2017-12-05 09:54:28 -06:00
Diana Lau 1babfcde9f 3.17.0
* Added missing DateString type in loopback index (CSLTech)
 * chore:update license (Diana Lau)
2017-11-29 15:49:28 -05:00
Kevin Delisle 5dd5a674ce
Merge pull request #3689 from CSLTech/master
Added missing DateString type in loopback index
2017-11-22 13:34:25 -05:00
CSLTech 1a2d8a4571 Added missing DateString type in loopback index 2017-11-21 11:56:36 -05:00
Diana Lau 0737f5476d
Merge pull request #3687 from strongloop/license
chore:update license
2017-11-13 14:55:53 -05:00
Diana Lau b67a096f9e chore:update license 2017-11-09 13:12:39 -05:00
Miroslav Bajtoš cb600d1470
3.16.2
* Fix "POST /change-password" for multi-user setup (Miroslav Bajtoš)
2017-10-30 09:03:15 +01:00
Miroslav Bajtoš 825d5a6373
Merge tag 'v3.16.1'
Bring in changes from #3674 that were accidentally not landed on master:

 * Fix createOnlyInstance for related methods (Raymond Feng)

Close #3674
2017-10-30 09:00:16 +01:00
Miroslav Bajtoš 91729ee550
Merge pull request #3675 from strongloop/fix/change-password-multiple-users
Fix "POST /change-password" for multi-user setup
2017-10-30 08:58:07 +01:00
Raymond Feng 010c7bcd5f 3.16.1
* Fix createOnlyInstance for related methods (Raymond Feng)
2017-10-27 21:43:40 -07:00
Raymond Feng 6570b94843 Fix createOnlyInstance for related methods
For scoped or related create method, the createOnlyInstance flag should
be calculated on the target model. For example, User.createAccessTokens
should set the flag only if AccessToken has updateonly properties.
2017-10-27 18:51:56 -07:00
Miroslav Bajtoš 3996f56ab9
Fix "POST /change-password" for multi-user setup
Fix the code extracting current user id from the access token provided
in the HTTP request, to allow only access tokens created by the target
user models to execute the action.

This fixes the following security vulnerability:

* We have two user models, e.g. Admin and Customer

* We have an Admin instance and a Customer instance with the same
  id and the same password.

* The Customer can change Admin's password using their
  regular access token.
2017-10-27 09:47:07 +02:00
Kevin Delisle 4d4070e542 3.16.0
* Fix "POST /reset-password" for multi-user setup (Miroslav Bajtoš)
 * test: extract helpers for logging HTTP errors (Miroslav Bajtoš)
 * CODEOWNERS: move @lehni to Alumni section (Miroslav Bajtoš)
2017-10-24 14:12:37 -04:00
Kevin Delisle 2761e62533 Merge pull request #3666 from strongloop/fix/multi-user-reset-password
Fix "POST /reset-password" for multi-user setup
2017-10-24 14:10:35 -04:00
Miroslav Bajtoš 0a2a45512c
Fix "POST /reset-password" for multi-user setup
Fix the code extracting current user id from the access token provided
in the HTTP request, to allow only access tokens created by the target
user models to execute the action.

This fixes the following security vulnerability:

* A UserA with id 1 (for example), requires a resetToken1

* A UserB with the same id requires a resetToken2.

* Using resetToken2, use the UserAs/reset-password endpoint and change
  the password of UserA and/or vice-versa.
2017-10-19 13:29:08 +02:00
Miroslav Bajtoš 4ebc517a78
test: extract helpers for logging HTTP errors
Extract two helpers into a shared file:

 - logAllServerErrors(app)
 - logServerErrorsOtherThan(statusCode, app)
2017-10-19 13:08:54 +02:00
Miroslav Bajtoš 083fb5d668 Merge pull request #3659 from strongloop/remove/lehni
CODEOWNERS: move @lehni to Alumni section
2017-10-19 10:44:20 +02:00
Miroslav Bajtoš c3450df4db
CODEOWNERS: move @lehni to Alumni section 2017-10-19 10:42:54 +02:00
Miroslav Bajtoš f30159cd23
3.15.0
* update strong-globalize to 3.1.0 (shimks)
 * Fix handling of user verification options (Miroslav Bajtoš)
 * Handle missing getUpdateOnlyProperties fn (Jürg Lehni)
 * test: fix too strict test assertion (Miroslav Bajtoš)
 * Fix typo (Siegfried Ehret)
2017-10-13 15:33:56 +02:00
Miroslav Bajtoš 64d60fb6f7 Merge pull request #3650 from strongloop/update-strong-globalize
update strong-globalize to 3.1.0
2017-10-13 15:27:02 +02:00
shimks 2f02fbac89 update strong-globalize to 3.1.0 2017-10-12 15:08:04 -04:00
Miroslav Bajtoš fb8f3d9df3 Merge pull request #3647 from lehni/model/fix-updateonly-props-check
Handle missing getUpdateOnlyProperties fn on Model
2017-10-09 17:00:55 +02:00
Miroslav Bajtoš 9176ee2e11 Merge pull request #3609 from sebastianfelipe/fix/user-verify-duplicated-token
Fix handling of user verification options
2017-10-09 14:00:22 +02:00
Miroslav Bajtoš d0a4941668
Fix handling of user verification options
- Fix `User.prototype.verify` to not modify properties of the supplied
   `verifyOptions` argument. This is needed to allow callers to supply
   the same options object to multiple calls of `verify`.

 - Fix `User.getVerifyOptions` to always return a new copy of the
   options object. This is needed to allow callers to modify the
   returned options object without affecting the result returned
   by subsequent calls of `getVerifyOptions`.
2017-10-09 13:42:22 +02:00
Jürg Lehni 826ee2aca8 Handle missing getUpdateOnlyProperties fn
If the current scope does not define a getUpdateOnlyProperties
function, the updateOnlyProps value will now be set to false.
2017-10-09 09:19:47 +02:00
Miroslav Bajtoš 8488da2e26 Merge pull request #3637 from strongloop/fix/build
test: fix too strict test assertion
2017-10-05 13:14:52 +02:00