Closed socketwiz closed 9 years ago
This is interesting.
I have two concerns with this solution.
param()
method you provided isn't available?The second problem can be solved by making cansecurity
entirely tested and functioning under restify. I would like to get that done.
The first is the more pertinent question. req.param()
will always return a string, since that is what every framework treats query params and path parts as. Are you saying that when the validation is done, and it returns the user
object, the ID field is an integer?
I like the idea of parseInt, but since there is no way for the framework to know if we are dealing with int or string, maybe the other way around? Instead of parseInt, we should convert both of them to strings, to be safe? After all, a string a = "abc"; a.toString();
will still give "abc"
, while a=25; a.toString();
will give "25"
, so it is safe.
Yes. I just changed the tests to have the user ID for the first user to be 1
(integer) instead of "1"
(string). They fail with the same issue. Then added the .toString()
on the L20 comparison and it works. I am bumping number and pushing out. Thanks for bringing this up!
v0.6.17
The tests have all been updated to test for restify, and I included a version of your req.param()
in there so it works cleanly.
Thanks for the quick reply. Yeah I wasn't sure about how you might want to handle the strings, parseInt worked for me, but I had a feeling you might go the other way. I just tested your update and it works great for me.
Great! Glad it worked, and now cansecurity has a broader range of use cases.
When I use the api restrictToSelfOrRoles I end up here:
https://github.com/deitch/cansecurity/blob/master/lib/authorization.js#L20
and the comparison fails for me because on the left I have an integer and on the right I have a string. The string contains the integer value but since its not converted to an integer the test fails. I took the liberty of creating this PR to address it but this might be one of the differences between an express app and a restify app. For example, restify doesn't seem to have a param method on the req object. My first inclination was to fix this line such that if the param method was not available, fallback to the params (note the S) object which is available in restify. Then I came up with what I thought might be a better option, which was to simply add a param method to the restify req through middleware, so thats what I did. I basically "borrowed" the param method from express and glued it into restify:
https://gist.github.com/socketwiz/9c142302c1b8fc7fceb6
That leaves me with the problem I've addressed here. This PR fixes my problem, but I'm not sure what implications it would have on the project as a whole. Comments? Ideas?