Minor cleanup.
authorAlexey Kuznetsov <akuznetsov@apache.org>
Mon, 14 Jan 2019 11:40:36 +0000 (18:40 +0700)
committerAlexey Kuznetsov <akuznetsov@apache.org>
Mon, 14 Jan 2019 11:40:36 +0000 (18:40 +0700)
modules/web-console/backend/app/configure.js
modules/web-console/backend/package.json
modules/web-console/backend/routes/profile.js
modules/web-console/backend/services/users.js

index a0e5190..ac71b74 100644 (file)
@@ -25,6 +25,7 @@ const session = require('express-session');
 const connectMongo = require('connect-mongo');
 const passport = require('passport');
 const passportSocketIo = require('passport.socketio');
+const mongoSanitize = require('express-mongo-sanitize');
 
 // Fire me up!
 
@@ -50,6 +51,9 @@ module.exports.factory = function(settings, mongo, apis) {
             app.use(bodyParser.json({limit: '50mb'}));
             app.use(bodyParser.urlencoded({limit: '50mb', extended: true}));
 
+
+            app.use(mongoSanitize({replaceWith: '_'}));
+
             app.use(session({
                 secret: settings.sessionSecret,
                 resave: false,
index 4399ae7..9d1918e 100644 (file)
@@ -52,6 +52,7 @@
     "connect-mongo": "1.3.2",
     "cookie-parser": "1.4.3",
     "express": "4.15.3",
+    "express-mongo-sanitize": "1.3.2",
     "express-session": "1.15.4",
     "fire-up": "1.0.0",
     "glob": "7.1.2",
index 0ce2656..79fb3de 100644 (file)
@@ -43,7 +43,7 @@ module.exports.factory = function(mongo, usersService) {
             if (req.body.password && _.isEmpty(req.body.password))
                 return res.status(500).send('Wrong value for new password!');
 
-            usersService.save(req.body)
+            usersService.save(req.user._id, req.body)
                 .then((user) => {
                     const becomeUsed = req.session.viewedUser && req.user.admin;
 
index ed844db..ecfdc0b 100644 (file)
@@ -76,7 +76,7 @@ module.exports.factory = (errors, settings, mongo, spacesService, mailsService,
                 })
                 .then((registered) => {
                     return mongo.Space.create({name: 'Personal space', owner: registered._id})
-                        .then(() => registered)
+                        .then(() => registered);
                 })
                 .then((registered) => {
                     if (settings.activation.enabled) {
@@ -102,16 +102,17 @@ module.exports.factory = (errors, settings, mongo, spacesService, mailsService,
         /**
          * Save user.
          *
-         * @param {Object} changed - The user
+         * @param userId User ID.
+         * @param {Object} changed Changed user.
          * @returns {Promise.<mongo.ObjectId>} that resolves account id of merge operation.
          */
-        static save(changed) {
+        static save(userId, changed) {
             delete changed.admin;
             delete changed.activated;
             delete changed.activationSentAt;
             delete changed.activationToken;
 
-            return mongo.Account.findById(changed._id).exec()
+            return mongo.Account.findById(userId).exec()
                 .then((user) => {
                     if (!changed.password)
                         return Promise.resolve(user);