cb600d1470
3.16.2
...
* Fix "POST /change-password" for multi-user setup (Miroslav Bajtoš)
2017-10-30 09:03:15 +01:00
825d5a6373
Merge tag 'v3.16.1'
...
Bring in changes from #3674 that were accidentally not landed on master:
* Fix createOnlyInstance for related methods (Raymond Feng)
Close #3674
2017-10-30 09:00:16 +01:00
91729ee550
Merge pull request #3675 from strongloop/fix/change-password-multiple-users
...
Fix "POST /change-password" for multi-user setup
2017-10-30 08:58:07 +01:00
010c7bcd5f
3.16.1
...
* Fix createOnlyInstance for related methods (Raymond Feng)
2017-10-27 21:43:40 -07:00
6570b94843
Fix createOnlyInstance for related methods
...
For scoped or related create method, the createOnlyInstance flag should
be calculated on the target model. For example, User.createAccessTokens
should set the flag only if AccessToken has updateonly properties.
2017-10-27 18:51:56 -07:00
3996f56ab9
Fix "POST /change-password" for multi-user setup
...
Fix the code extracting current user id from the access token provided
in the HTTP request, to allow only access tokens created by the target
user models to execute the action.
This fixes the following security vulnerability:
* We have two user models, e.g. Admin and Customer
* We have an Admin instance and a Customer instance with the same
id and the same password.
* The Customer can change Admin's password using their
regular access token.
2017-10-27 09:47:07 +02:00
4d4070e542
3.16.0
...
* Fix "POST /reset-password" for multi-user setup (Miroslav Bajtoš)
* test: extract helpers for logging HTTP errors (Miroslav Bajtoš)
* CODEOWNERS: move @lehni to Alumni section (Miroslav Bajtoš)
2017-10-24 14:12:37 -04:00
2761e62533
Merge pull request #3666 from strongloop/fix/multi-user-reset-password
...
Fix "POST /reset-password" for multi-user setup
2017-10-24 14:10:35 -04:00
0a2a45512c
Fix "POST /reset-password" for multi-user setup
...
Fix the code extracting current user id from the access token provided
in the HTTP request, to allow only access tokens created by the target
user models to execute the action.
This fixes the following security vulnerability:
* A UserA with id 1 (for example), requires a resetToken1
* A UserB with the same id requires a resetToken2.
* Using resetToken2, use the UserAs/reset-password endpoint and change
the password of UserA and/or vice-versa.
2017-10-19 13:29:08 +02:00
4ebc517a78
test: extract helpers for logging HTTP errors
...
Extract two helpers into a shared file:
- logAllServerErrors(app)
- logServerErrorsOtherThan(statusCode, app)
2017-10-19 13:08:54 +02:00
083fb5d668
Merge pull request #3659 from strongloop/remove/lehni
...
CODEOWNERS: move @lehni to Alumni section
2017-10-19 10:44:20 +02:00
c3450df4db
CODEOWNERS: move @lehni to Alumni section
2017-10-19 10:42:54 +02:00
f30159cd23
3.15.0
...
* update strong-globalize to 3.1.0 (shimks)
* Fix handling of user verification options (Miroslav Bajtoš)
* Handle missing getUpdateOnlyProperties fn (Jürg Lehni)
* test: fix too strict test assertion (Miroslav Bajtoš)
* Fix typo (Siegfried Ehret)
2017-10-13 15:33:56 +02:00
64d60fb6f7
Merge pull request #3650 from strongloop/update-strong-globalize
...
update strong-globalize to 3.1.0
2017-10-13 15:27:02 +02:00
2f02fbac89
update strong-globalize to 3.1.0
2017-10-12 15:08:04 -04:00
fb8f3d9df3
Merge pull request #3647 from lehni/model/fix-updateonly-props-check
...
Handle missing getUpdateOnlyProperties fn on Model
2017-10-09 17:00:55 +02:00
9176ee2e11
Merge pull request #3609 from sebastianfelipe/fix/user-verify-duplicated-token
...
Fix handling of user verification options
2017-10-09 14:00:22 +02:00
d0a4941668
Fix handling of user verification options
...
- Fix `User.prototype.verify` to not modify properties of the supplied
`verifyOptions` argument. This is needed to allow callers to supply
the same options object to multiple calls of `verify`.
- Fix `User.getVerifyOptions` to always return a new copy of the
options object. This is needed to allow callers to modify the
returned options object without affecting the result returned
by subsequent calls of `getVerifyOptions`.
2017-10-09 13:42:22 +02:00
826ee2aca8
Handle missing getUpdateOnlyProperties fn
...
If the current scope does not define a getUpdateOnlyProperties
function, the updateOnlyProps value will now be set to false.
2017-10-09 09:19:47 +02:00
8488da2e26
Merge pull request #3637 from strongloop/fix/build
...
test: fix too strict test assertion
2017-10-05 13:14:52 +02:00
33989d776c
test: fix too strict test assertion
...
Rework the test verifying properties of `loopback` to ignore
new express properties added after the test was written.
2017-10-04 10:31:50 +02:00
1dd0ab31e0
Merge pull request #3636 from SiegfriedEhret/patch-1
...
Fix typo in jsdoc
2017-10-04 10:11:04 +02:00
db8130ac6d
Fix typo
...
Update a jsdoc thing to match the argument name.
2017-10-04 09:26:17 +02:00
c9913927e5
3.14.0
...
* Allow declarative nestRemoting for relations (Raymond Feng)
2017-09-28 11:07:15 -07:00
c453ad52c2
Merge pull request #3628 from strongloop/declarative-nest-remoting
...
Allow declarative nestRemoting for relations
2017-09-28 11:06:32 -07:00
c0a0f09f3a
Allow declarative nestRemoting for relations
...
Now relation.options.nestRemoting can be set to true so that
nestRemoting will be set up automatically without explicitly
calling MyModel.nestRemoting
2017-09-27 09:22:06 -07:00
fcfaf7ef53
3.13.0
...
* Fix OWNER role to handle multiple relations (pierreclr)
* Fix acl.resolvePermission for wildcard req (Farid Neshat)
* CODEOWNERS: add zbarbuto (Miroslav Bajtoš)
2017-09-27 17:45:28 +02:00
658d228789
Merge pull request #3140 from pierreclr/feature/allow-mutiple-owners-resolving
...
Fix OWNER role to handle multiple relations
2017-09-27 17:43:48 +02:00
e17132d061
Fix OWNER role to handle multiple relations
...
Fix the code resolving OWNER role to correctly handle the situation
where the target model has multiple "belongsTo" relations to the User
model.
Introduce a new model setting "ownerRelations" that enables the new
behavior. When "ownerRelations" is set to true, then all "belongsTo"
relations are considered as granting ownership. Alternatively,
"ownerRelations" can be set to an array of the relations which
are granting ownership.
For example, a document can "belongTo" an author and a reviewer,
but only the author is an owner, the reviewer is not. In this case,
"ownerRelations" should be set to "['author']".
2017-09-27 17:11:36 +02:00
ef7175a4d5
Merge pull request #3293 from alFReD-NSH/bugfix/acl-checkpermission
...
Fix acl.resolvePermission not working with wildcard request
2017-09-27 16:51:27 +02:00
2128ecde46
Merge pull request #3625 from strongloop/welcome-zbarbuto
...
CODEOWNERS: add zbarbuto
2017-09-27 11:10:40 +02:00
d2d8fabb16
Fix acl.resolvePermission for wildcard req
...
When acl.resolvePermission was called with a request containing a
wildcard, it would return the matching acl with lowest score instead of
higher.
Fixes #2153
2017-09-27 02:48:34 +02:00
4c4430ea95
3.12.0
...
* Fix relation race condition in model glob (Zak Barbuto)
* CODEOWNERS: add lehni (Miroslav Bajtoš)
2017-09-25 15:58:47 +02:00
883667ce8e
CODEOWNERS: add zbarbuto
2017-09-25 09:49:00 +02:00
0f40ca8f8e
Merge pull request #3565 from zbarbuto/fix/shared-glob
...
Fix relation race condition in model glob
2017-09-01 09:44:13 +02:00
d405432b2d
Fix relation race condition in model glob
...
Globs working depended on the order that models were imported.
Remote sharing is now re-calculated whenever a new model is remoted.
2017-09-01 09:18:39 +09:30
30f3161c65
Merge pull request #3595 from strongloop/welcome-lehni
...
CODEOWNERS: add lehni as a collaborator
2017-08-31 11:15:07 +02:00
63721fd253
CODEOWNERS: add lehni
2017-08-30 10:46:06 +02:00
6ba35c297b
3.11.1
...
* Handle missing getUpdateOnlyProperties fn (Kevin Delisle)
2017-08-23 09:17:57 -07:00
8bff145c65
Merge pull request #3579 from strongloop/persisted-model/fix-updateonly-props-check
...
Handle missing getUpdateOnlyProperties fn
2017-08-23 10:48:19 -04:00
16ede97033
Handle missing getUpdateOnlyProperties fn
...
If the current scope does not define a getUpdateOnlyProperties
function, the updateOnlyProps value will now be set to false.
2017-08-23 10:21:11 -04:00
29e89f50e5
3.11.0
...
* Support createOnlyInstance in model (#3548 ) (Rashmi Hunt)
* Add stalebot configuration (Kevin Delisle)
* Catch errors on invalidate update (loay)
* Update Issue and PR Templates (#3568 ) (Sakib Hasan)
2017-08-22 17:17:24 -07:00
3651c09782
Support createOnlyInstance in model ( #3548 )
...
* setting up createOnlyInstance
* add comment
* fix eslint issue
* new tests
* Address code review comments
2017-08-22 17:10:55 -07:00
661f7741cd
Add stalebot configuration
2017-08-22 15:12:54 -04:00
4a8e3f1327
Merge pull request #3570 from strongloop/catch-err
...
Catch errors on invalidate update
2017-08-17 11:24:57 -04:00
bf4b5de648
Catch errors on invalidate update
2017-08-17 10:46:09 -04:00
b3602bdd18
Update Issue and PR Templates ( #3568 )
...
* update issue template
* update pr template
2017-08-16 11:54:30 -04:00
b1adba1c4a
3.10.1
...
* fix(validatePassword): reword error message (Samuel Reed)
* Do not add isStatic properties to method settings (Jürg Lehni)
2017-08-16 16:20:33 +02:00
2ebe38b4d5
Merge pull request #3540 from lehni/fix/isStatic-method-settings
...
Do not add isStatic properties to method settings
2017-08-16 15:55:11 +02:00
bc8778908e
Merge pull request #3556 from STRML/fix/validatePassword
...
fix(validatePassword): Reword password too long error.
2017-08-16 15:53:58 +02:00
Miroslav Bajtoš
Raymond Feng
Raymond Feng
Kevin Delisle
shimks
Jürg Lehni
Siegfried Ehret
pierreclr
Farid Neshat
Zak Barbuto
rashmihunt
Loay
Sakib Hasan