Never return password not working?

[rastalamm]

So I am not sure what I am doing wrong but the 'password' column/value is still being sent out.

Here are my settings:

User.js Model

var sequelizeAttributeRoles = require('sequelize-attribute-roles');

"use strict";
module.exports = function (sequelize, DataTypes) {

    var User = sequelize.define("User", {
        id: {
            type: DataTypes.INTEGER,
            primaryKey: true,
            autoIncrement: true
        },
        first_name: DataTypes.STRING,
        last_name: DataTypes.STRING,
        password: {
            type: DataTypes.STRING,
            access: false
        },
    }, {
        getterMethods: {
            full_name: function () {
                return `${this.first_name} ${this.last_name}`;
            }
        },
        tableName: "users"
    });

    sequelizeAttributeRoles(User);

    return User;
};

index.js (Sequelize generated)

'use strict';

var fs        = require('fs');
var path      = require('path');
var Sequelize = require('sequelize');
var sequelizeAttributeRoles = require('sequelize-attribute-roles');
var basename  = path.basename(module.filename);
var env       = process.env.NODE_ENV || 'development';
var config    = require(__dirname + '/../config/config.json')[env];
var sequelize = new Sequelize(config.database, config.username, config.password, {
    host: config.host,
    dialect: config.dialect,
    define: {underscored: true}
});
var db        = {};

fs
  .readdirSync(__dirname)
  .filter(function(file) {
    return (file.indexOf('.') !== 0) && (file !== basename);
  })
  .forEach(function(file) {
    if (file.slice(-3) !== '.js') return;
    var model = sequelize['import'](path.join(__dirname, file));
    db[model.name] = model;
  });

Object.keys(db).forEach(function(modelName) {
  if ('associate' in db[modelName]) {
    db[modelName].associate(db);
  }
});

sequelizeAttributeRoles(sequelize);

db.sequelize = sequelize;
db.Sequelize = Sequelize;

module.exports = db;

My query: (the where: where is predefined above and is working properly)

User.findOne({
                where: where
            }, {role: 'other'}).then(function (user) {
                if (!user) {
                    res.sendStatus(404);
                } else {
                    res.json(user);
                }
            });

I also tried the below query with no luck :(

User.findOne({
                where: where,
                role: 'other'
            }).then(function (user) {
                if (!user) {
                    res.sendStatus(404);
                } else {
                    res.json(user);
                }
            });

[ackerdev]

I'm not sure why password is leaking here; unfortunately, I don't have a setup to debug this myself right now.

What version of Sequelize are you using? Does the same problem occur if you use findAll instead of findOne? Does your where object for the query contain any reference to the password field?

If you're able to, you may want to check out the source. If you can debug where things seem to be breaking down on your end, it would greatly help me understand what might be happening. And of course, if you're able to submit a patch, I'll be more than happy to merge it in.

Also, your second query is the correct way to use this package, and you don't need to do both sequelizeAttributeRoles(User) & sequelizeAttributeRoles(sequelize), either one will do (the first will enable attribute guarding on only the User model, the second will enable it for all of your models).

[rastalamm]

Sequelize Version: Sequelize [Node: 4.2.1, CLI: 1.7.2, ORM: 3.17.3] CLI version 3.9.0 Local version 3.9.0

The same problem happens for find, findAll, findById & findOne

The where object doesn't include anything with password.

I checked out the source and console.log(options) on line 16 in the createHook function and got an object looking like this..

{ where: { id: '2' },
  plain: true, 
  hooks: true,
  attributes: 
    [ 'id', 
      'name', 
      'password'
    ]
}

For me, options.role would always yield undefined.