Nemcio/meanTorrent
1
0
Fork 0
mirror of https://github.com/taobataoma/meanTorrent.git synced 2026-03-12 07:00:29 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix(users): don't update secure profile fields (#1421)

Browse Source 
* Fix(users): Don't update secure profile fields

Avoid updating secure fields as password, salt ..etc through
user profile update.

Fixes #1420

* Refactor variable name
This commit is contained in:
shanavas
2016-08-27 09:45:06 +03:00
committed by Liran Tal
parent 2f394ecb97
commit 730cca76af
2 changed files with 53 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
modules/users/server/controllers/users/users.profile.server.controller.js
View File

@@ -12,6 +12,8 @@ var _ = require('lodash'),
config = require(path.resolve('./config/config')),
User = mongoose.model('User');
var whitelistedFields = ['firstName', 'lastName', 'email', 'username'];
/**
* Update user details
*/
@@ -19,15 +21,10 @@ exports.update = function (req, res) {
// Init Variables
var user = req.user;
// For security measurement we remove the roles from the req.body object
delete req.body.roles;
// For security measurement do not use _id from the req.body object
delete req.body._id;
if (user) {
// Merge existing user
user = _.extend(user, req.body);
// Update whitelisted fields only
user = _.extend(user, _.pick(req.body, whitelistedFields));
user.updated = Date.now();
user.displayName = user.firstName + ' ' + user.lastName;