search

kuzzleio / kuzzle

Open-source Back-end, self-hostable & ready to use - Real-time, storage, advanced search - Web, Apps, Mobile, IoT -
https://kuzzle.io
Apache License 2.0
1.43k stars 123 forks source link

delete a role which is included within profiles #343

Closed ballinette closed 8 years ago

ballinette commented 8 years ago

Say we have a role test:

{
  "_id": "test",
  "controllers":  { ... }
}

And a profile that uses this role:

{
  "_id": "yolo",
  "policies": [
    { "_id": "test" }
  ]
}

If we try to delete the role, it is actually deleted, while we shouldn't be allowed to do it, as the role is still involved in a profile.

code to fix: https://github.com/kuzzleio/kuzzle/blob/develop/lib/api/core/models/repositories/roleRepository.js#L231 (probably the filter that doesn't work):

filter = { or: [{terms: { 'roles': [ role ] }}] };

return kuzzle.repositories.profile.search(filter, 0, 1, false)
  .then(response => {
    if (response.total > 0) {
      return q.reject(new BadRequestError('The role "' + role._id + '" cannot be deleted since it is used by some profile.'));
    }

    return this.deleteFromDatabase(role._id)
      .then(deleteResponse => {
        if (this.roles[role._id]) {
          delete this.roles[role._id];
        }

        return deleteResponse;
      });
  });
ballinette commented 8 years ago

NB: to fix that, we should replace the filter by 

filter = { or: [{terms: { 'roles._id': [ role._id ] }}] };

... but as PR #332 is in review and is actually refactoring the repositories (especially the naming: roles replaced by policies), I suggest to wait for this PR to be merged before fixing this bug ;)

j33f commented 8 years ago

fixed in pr #332