Skip to content
This repository was archived by the owner on Mar 22, 2022. It is now read-only.

restrict-to-owner does not allow Service.remove(null) from internal systems #301

Closed
joelkoz opened this issue Oct 4, 2016 · 1 comment
Closed

restrict-to-owner does not allow Service.remove(null) from internal systems #301

joelkoz opened this issue Oct 4, 2016 · 1 comment

Comments

@joelkoz
Copy link

joelkoz commented Oct 4, 2016

In the restrict-to-owner hook, the code that allows authorization checks to be by-passed for internal system calls:

if (!hook.params.provider) { return hook; }

is currently done AFTER the check to see if a hook.id was passed in:

if (!hook.id) { throw new errors.MethodNotAllowed('The restrictToOwner hook should only be used on the 'get', 'update', 'patch' and 'remove' service methods.'); }

This prevents an internal service from calling service.remove(null) to delete the entire collection. The order of the two checks should be reversed.
@daffl
Copy link
Member

daffl commented Oct 31, 2016

This has been closed via #335 and released in v0.7.11.

@daffl daffl closed this as completed Oct 31, 2016
@joelkoz joelkoz mentioned this issue Nov 11, 2016
Closed
# for free to subscribe to this conversation on GitHub. Already have an account? #.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@daffl @joelkoz