search

veliovgroup / Meteor-Files

🚀 Upload files via DDP or HTTP to ☄️ Meteor server FS, AWS, GridFS, DropBox or Google Drive. Fast, secure and robust.
https://packosphere.com/ostrio/files
BSD 3-Clause "New" or "Revised" License
1.11k stars 166 forks source link

findOne(undefined) gives the same result as findOne() #854

Closed YannLeBihan closed 1 year ago

YannLeBihan commented 1 year ago

The title says it all : if you provide undefined to a findOne operation instead of an explicit document id, it will not return an empty cursor as in standard Meteor collections, but the very first document of the collection - just like findOne() would.

This has the potential to generate a big mess in certain situations, especially if insufficient checks in the code allow undefined to make its way to the request : literally any file could be mistakenly displayed/downloaded in place of another, just because its corresponding document would be the first in the collection.

I noticed this behavior in Meteor 2.8.0 running Meteor-Files version v2.3.0, both on Mac and Linux, client side and server side.

YannLeBihan commented 1 year ago

As a quick workaround to bring back the standard behavior, I modified FilesCollection.prototype.findOne by inserting this at the beginning of the function :

if (arguments.length && !arguments[0]) return undefined;

and changing this line

let selector = arguments.length > 0 && arguments[0] !== undefined ? arguments[0] : {};

to this, since there is no more need to check for undefined :

let selector = arguments.length > 0 ? arguments[0] : {};

dr-dimitru commented 1 year ago

Hello @YannLeBihan,

This package nearly as old as Meteor, this behavior remains the same from the very beginning. This part would remain the same.

Other meteorites are welcome to share if they demand .findOne() method changes.