Closed ndarilek closed 9 years ago
Well first thing, allowing users to set their own role with a query string from the client side is a fairly big security issue. What would stop any user from setting their role to something you don't want? (like perhaps /sign-up?role=admin
).
Aside from that, it looks like the issue with filling form fields via query strings is because the useraccounts templates package you are using is calling the rendered callback for the input field, but that callback is defined in the routing package (which appears to not be available to it yet). That said, moving the Template.atInput.onRendered
to the individual routing packages solves this issue.
I'll work on fixing this. Thank you for reporting the issue. Now go fix that security hole! ;)
On a side note, you should try to format your sample code blocks and surround them with triple backticks (```) when filing a Github issue. It's much easier for everyone to read formatted code with proper syntax highlighting. For example, your sample above ideally should look like this:
AccountsTemplates.addFields[{
_id: "username"
type: "text"
displayName: "Username"
required: true
minLength: 5
},
{
_id: "role"
type: "hidden"
}
]
See https://help.github.com/articles/markdown-basics/#code-formatting
On 8/11/2015 10:04 PM, Jeremy Shimko wrote:
Well first thing, allowing users to set their own role with a query string from the client side is a fairly big security issue. What would stop any user from setting their role to something you don't want? (like perhaps
/sign-up?role=admin
).
The fact that the code I *didn't show is this:
if user.profile?.role?
role = user.profile.role
if role == "assistant"
Roles.addUsersToRoles(user, "assistant")
else if role == "client"
Roles.addUsersToRoles(user, "client")
else
user.$remove()
throw new Meteor.Error("You dirty bastard")
Done this a time or two. :)
Aside from that, it looks like the issue with filling form fields via query strings is because the useraccounts templates package you are using is [calling the rendered callback][1] for the input field, but that callback is [defined in the routing package][2](which appears to not be available to it yet). That said, moving the
Template.atInput.onRendered
to the individual routing packages solves this issue. Saw that and was wondering if it might be at fault. Glad I was on the right track.On a side note, you should try to format your sample code blocks and surround them with triple backticks (```) when filing a Github issue. It's much easier for everyone to read formatted code with proper syntax highlighting. For example, your sample above ideally should look like this:
Done, apologies.
Excellent, thanks! Any chance of a new minor release soon?
When I access a URL of the form http://localhost:3000/sign-up?role=client with the following:
AccountsTemplates.addFields [ { _id: "username" type: "text" displayName: "Username" required: true minLength: 5 } email password { _id: "role" type: "hidden" } ]
When I view the form's source, I see my role field but no value, despite passing one in the query. Further, no value is populated in the profile field. When I add console.log statements in the call to atInputRendered, e.g.:
var queryKey = this.data.options && this.data.options.queryKey || fieldId; console.log("queryKey", queryKey);
I don't see anything printed.
Thanks.