Merge pull request #65 from StatelessStudio/v0.4.2

DrewImm · web-flow · commit ff374d4f58ed · 2018-12-26T16:44:57.000-05:00
V0.4.2
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,13 @@
 # PointyApi Changelog
 
+## [0.4.2] Dec-26-2018
+
+Fixed onlySelf() on GET
+
+### Fixes
+- onlySelf() on GET should not be authorized by default
+- onlySelf() should filter GET arrays
+
 ## [0.4.1] Dec-23-2018
 
 Fixed count parameter
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
 	"name": "pointyapi",
-	"version": "0.4.1",
+	"version": "0.4.2",
 	"author": "stateless-studio",
 	"license": "MIT",
 	"scripts": {
diff --git a/src/guards-auth/only-self.ts b/src/guards-auth/only-self.ts
@@ -50,7 +50,19 @@ export async function onlySelf(
 						userKeys
 					);
 				}
-				else {
+				else if (request.payload instanceof Array) {
+					// Filter payload
+					request.payload = request.payload.filter((result) => {
+						return isSelf(
+							result,
+							request.user,
+							request.payloadType,
+							request.userType,
+							bodyKeys,
+							userKeys
+						);
+					});
+
 					authorized = true;
 				}
 			}
diff --git a/test/spec/chat/chat/chat-get.spec.ts b/test/spec/chat/chat/chat-get.spec.ts
@@ -261,6 +261,49 @@ describe('[Chat] Chat API Get', async () => {
 			.catch((error) => fail(JSON.stringify(error)));
 	});
 
+	it(`does not return chats the user does not own`, async () => {
+		const user = await http
+			.post('/api/v1/user', {
+				fname: 'Chat',
+				lname: 'Hacker',
+				username: 'chatHacker',
+				password: 'password123',
+				email: 'chatHacker@test.com'
+			})
+			.catch((error) =>
+				fail('Could not create base user: ' + JSON.stringify(error))
+			);
+
+		const token = await http
+			.post('/api/v1/auth', {
+				__user: 'chatHacker',
+				password: 'password123'
+			})
+			.catch((error) =>
+				fail('Could not create User API Token' + JSON.stringify(error))
+			);
+
+		if (token) {
+			await http
+				.get(
+					'/api/v1/chat',
+					{
+						__search: '',
+						__whereAnyOf: {
+							to: this.user.body.id,
+							from: this.user.body.id
+						}
+					},
+					[ 200 ],
+					token.body['token']
+				)
+				.then((result) => {
+					expect(result.body['length']).toBe(0);
+				})
+				.catch((error) => fail(JSON.stringify(error)));
+		}
+	});
+
 	it('can count', async () => {
 		await http
 			.get(

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "pointyapi",`
`3`		`- "version": "0.4.1",`
	`3`	`+ "version": "0.4.2",`
`4`	`4`	`"author": "stateless-studio",`
`5`	`5`	`"license": "MIT",`
`6`	`6`	`"scripts": {`