adminmate-express-mongoose 1.3.12 → 1.3.13

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/package.json +1 -1
  2. package/src/helpers/functions.js +9 -5
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "adminmate-express-mongoose",
3
- "version": "1.3.12",
3
+ "version": "1.3.13",
4
4
  "description": "Adminmate Express/Mongoose connector",
5
5
  "author": "Marc Delalonde",
6
6
  "homepage": "http://adminmate.io",
package/src/helpers/functions.js CHANGED
@@ -115,14 +115,17 @@ module.exports = _conf => {
115
115
  return queryRuleSet(rule);
116
116
  }
117
117
  let q = {};
118
+ // Strict 24-hex check — mongoose.isValidObjectId accepts any 24-char string,
119
+ // which throws when constructing an ObjectId from a non-hex value.
120
+ const isStrictObjectId = (val) => typeof val === 'string' && /^[a-f\d]{24}$/i.test(val);
118
121
  if (rule.operator === 'is') {
119
122
  // In order that aggregate queries to work well
120
- const value = mongoose.isValidObjectId(rule.value) ? new mongoose.Types.ObjectId(rule.value) : rule.value;
123
+ const value = isStrictObjectId(rule.value) ? new mongoose.Types.ObjectId(rule.value) : rule.value;
121
124
  q[rule.field] = { $eq: value };
122
125
  }
123
126
  else if (rule.operator === 'is_not') {
124
127
  // In order that aggregate queries to work well
125
- const value = mongoose.isValidObjectId(rule.value) ? new mongoose.Types.ObjectId(rule.value) : rule.value;
128
+ const value = isStrictObjectId(rule.value) ? new mongoose.Types.ObjectId(rule.value) : rule.value;
126
129
  q[rule.field] = { $ne: value };
127
130
  }
128
131
  // Date
@@ -334,9 +337,10 @@ module.exports = _conf => {
334
337
  params.$or.push({ [field]: { '$regex': `${search}`, '$options': 'i' } });
335
338
  });
336
339
 
337
- // If the search is a valid mongodb _id
338
- // An object id's only defining feature is that its 12 bytes long
339
- if (mongoose.isValidObjectId(search)) {
340
+ // If the search looks like a real mongodb ObjectId (24 hex chars).
341
+ // mongoose.isValidObjectId is too permissive (accepts any 24-char string),
342
+ // which causes Cast errors for values like "foo.myshopify.com" (24 chars but not hex).
343
+ if (/^[a-f\d]{24}$/i.test(search)) {
340
344
  params.$or.push({ _id: search });
341
345
  fieldsToPopulate.map(field => {
342
346
  params.$or.push({ [field.path]: search });