params.query is ignored for returned data when removing a record #244
Comments
|
I opened a pull request but found that there are some issues with other properties on params.query like "$populate". I'll fix them locally, test the new module for a while and open a new pull request. Feedback from core developers is still highly appreciated since the |
|
@daffl and the feathers team: I'd kindly ask that this issue be prioritized. Based on my current understanding, this is an important security vulnerability that can lead to exposing any record by it's ID since the Lines 123 and following in const discriminator = (params.query || {})[this.discriminatorKey] || this.discriminatorKey;
const model = this.discriminators[discriminator] || this.Model;
let modelQuery = model
.findOne({ [this.id]: id });Could ammending this something like so might work (as already mostly in PR #245 by @SteffenLanger ): // construct query from params
const queryObj = { [this.id]: id }
for (let propName in params.query) {
if (propName[0] !== "$" && propName !== this.discriminatorKey) {
queryObj[propName] = params.query[propName]
}
}
let modelQuery = model
.findOne(queryObj);If a As far as I've understood, that is not expected behavior but please instruct if so. Appreciate any feedback from the feathers team on this. |
|
This seems like expected behavior to me. Feathers doesn't enforce any permissions, you need to add them in based on your needs. You could use an after hook to check if the record should be shown to the user. You could also use a before hook and overwrite the normal response to use the query you've shown above. I understand your concern and use case, but the base use case is letting everything be accessible. You can customize the service to your needs with hooks easily after that. Hope this helps clear things up. |
|
@jamesjnadeau Thanks for the reply. I agree that feathers or The core question (as I see it right now) is whether or not For instance, if we have a record that takes this shape: {
"_id": "some_mongo_id",
"user": 1
// etc
}And we query it like this from a feathers client: service('record').get("some_mongo_id", { query: { user: 25 } })Should it return the record even though the query does not match? In my understanding, it should not; however, Also, based on my read of the const where = utils.getWhere(params.query);
// Attach 'where' constraints, if any were used.
const q = Object.assign({
raw: this.raw,
where: Object.assign({[this.id]: id}, where)
}, params.sequelize);I'd have to set up an environment to test this out, but pretty sure the behavior is different than Also, even if the maintainers disagree about changing service('record').remove("some_mongo_id", { query: { user: 25 } })This returns a 200, the record matching an ID in the response body, but does not actually delete the record. In other words, the request looks like a success but the action actually failed. (In my application, I add the query in a Sorry for the tome. Just want to be absolutely clear here on the issue since it has major implications for how I implement security in my application. |
|
Looking at this again, it does appear this adapter works differently than others, it . Please make a pull request with your requested changes. |
|
The behaviour of how the query is honoured for requests with an id has not been specified across adapters and is therefore somewhat inconsistent. I created an issue yesterday in feathersjs/feathers#925 that outlines some of the changes coming to the database adapters, including this change. Currently e.g. the feathers-authentication-hooks are doing another |
|
Thanks for the response @jamesjnadeau and @daffl . With the direction raised in feathersjs/feathers#925, would it better to hold on any changes in this repo until that issue is resolved in feathers core? If not, I think that @SteffenLanger 's PR #245 should address the issues. It represents a fairly substantial change in behavior that would probably be breaking in some applications. |
|
Any update on this? Do you want to accept PR #245 or wait for feathersjs/feathers#925 to be resolved and implemented into |
|
@daffl : Does feathersjs/feathers#925 fix this issue? |
|
Yes, it should. Sorry for not getting it in with your PR but it was easier this way. |
|
@daffl : no worries; thanks for fixing this in a comprehensive. I'm looking at our migration path. |
Steps to reproduce
(First please check that this issue is not already solved as described
here)
Done.
When deleting a record with a request like "DELETE /users/abc-id", we set the property params.query.createdBy to the currently logged in user in a hook. If the user did not create the record, he must not delete it.
This is correctly interpreted by the remove method, so the record is not deleted. However, since the _get method ignores the query, the DELETE request returns the record as though it were deleted.
Expected behavior
Instead of returning the record associated with the ID "abc-id", the response should be a 404 Not Found error.
Actual behavior
The response contains the record with the ID "abc-id".
System configuration
Tell us about the applicable parts of your setup.
Module versions (especially the part that's not working):
feathers-mongoose 6.1.2
NodeJS version:
Node.js 8.11.2
Operating System:
Ubuntu 16.04
Browser Version:
x
React Native Version:
x
Module Loader:
Node.js require
I will submit a pull request in some minutes.
The text was updated successfully, but these errors were encountered: