fix(users): don't update secure profile fields (#1421)

* Fix(users): Don't update secure profile fields Avoid updating secure fields as password, salt ..etc through user profile update. Fixes #1420 * Refactor variable name
2026-06-16 01:11:48 +02:00 · 2016-08-27 09:45:06 +03:00
parent 2f394ecb97
commit 730cca76af
2 changed files with 53 additions and 8 deletions
--- a/modules/users/server/controllers/users/users.profile.server.controller.js
+++ b/modules/users/server/controllers/users/users.profile.server.controller.js
@@ -12,6 +12,8 @@ var _ = require('lodash'),
  config = require(path.resolve('./config/config')),
  User = mongoose.model('User');

+var whitelistedFields = ['firstName', 'lastName', 'email', 'username'];
+
 /**
 * Update user details
 */
@@ -19,15 +21,10 @@ exports.update = function (req, res) {
  // Init Variables
  var user = req.user;

-  // For security measurement we remove the roles from the req.body object
-  delete req.body.roles;
-
-  // For security measurement do not use _id from the req.body object
-  delete req.body._id;
-
  if (user) {
-    // Merge existing user
-    user = _.extend(user, req.body);
+    // Update whitelisted fields only
+    user = _.extend(user, _.pick(req.body, whitelistedFields));
+
    user.updated = Date.now();
    user.displayName = user.firstName + ' ' + user.lastName;

--- a/modules/users/tests/server/user.server.routes.tests.js
+++ b/modules/users/tests/server/user.server.routes.tests.js
@@ -807,6 +807,54 @@ describe('User CRUD tests', function () {
    });
  });

+  it('should not be able to update secure fields', function (done) {
+    var resetPasswordToken = 'password-reset-token';
+    user.resetPasswordToken = resetPasswordToken;
+
+    user.save(function (saveErr) {
+      if (saveErr) {
+        return done(saveErr);
+      }
+      agent.post('/api/auth/signin')
+        .send(credentials)
+        .expect(200)
+        .end(function (signinErr, signinRes) {
+          // Handle signin error
+          if (signinErr) {
+            return done(signinErr);
+          }
+          var userUpdate = {
+            password: 'Aw3$0m3P@ssWord',
+            salt: 'newsaltphrase',
+            created: new Date(2000, 9, 9),
+            resetPasswordToken: 'tweeked-reset-token'
+          };
+
+          // Get own user details
+          agent.put('/api/users')
+            .send(userUpdate)
+            .expect(200)
+            .end(function (err, res) {
+              if (err) {
+                return done(err);
+              }
+
+              User.findById(user._id, function (dbErr, updatedUser) {
+                if (dbErr) {
+                  return done(dbErr);
+                }
+
+                updatedUser.password.should.be.equal(user.password);
+                updatedUser.salt.should.be.equal(user.salt);
+                updatedUser.created.getTime().should.be.equal(user.created.getTime());
+                updatedUser.resetPasswordToken.should.be.equal(resetPasswordToken);
+                done();
+              });
+            });
+        });
+    });
+  });
+
  it('should not be able to update own user details if not logged-in', function (done) {
    user.roles = ['user'];