npm - apostrophe - Versions diffs - 4.28.0 → 4.29.0 - Mend

apostrophe 4.28.0 → 4.29.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (88) hide show

package/test/login-requirements.js CHANGED Viewed

@@ -637,7 +637,7 @@ describe('Expired Token Deletion', function() {
     const jar = apos.http.jar();
     // establish session
-    let page = await apos.http.get(
+    await apos.http.get(
       '/',
       {
         jar

package/test/pieces-public-api.js CHANGED Viewed

@@ -118,6 +118,86 @@ describe('Pieces Public API', function() {
     assert(!response.results[0].foo);
   });
+  it('should not leak distinct values of non-projected fields via ?choices=', async function() {
+    apos.thing.options.publicApiProjection = {
+      title: 1,
+      _url: 1
+    };
+    const response = await apos.http.get('/api/v1/thing?choices=title,foo');
+    assert(response);
+    assert(response.choices);
+    // title IS in the public API projection, so its choices are allowed
+    assert(response.choices.title);
+    assert(response.choices.title.some(c => c.label === 'hello'));
+    // foo is NOT in the public API projection: its distinct values
+    // must not be exposed to anonymous callers
+    assert(
+      !response.choices.foo || response.choices.foo.length === 0,
+      'choices for non-projected field "foo" must not be exposed publicly'
+    );
+  });
+  it('should not leak distinct values of non-projected fields via ?counts=', async function() {
+    apos.thing.options.publicApiProjection = {
+      title: 1,
+      _url: 1
+    };
+    const response = await apos.http.get('/api/v1/thing?counts=title,foo');
+    assert(response);
+    assert(response.counts);
+    assert(response.counts.title);
+    assert(
+      !response.counts.foo || response.counts.foo.length === 0,
+      'counts for non-projected field "foo" must not be exposed publicly'
+    );
+  });
+  it('should not leak non-projected fields via dot-notated ?choices= filter names', async function() {
+    apos.thing.options.publicApiProjection = {
+      title: 1,
+      _url: 1
+    };
+    // A dot-notated filter whose top-level segment is not projected
+    // must be blocked the same way the plain field name is.
+    const response = await apos.http.get('/api/v1/thing?choices=foo.bar');
+    assert(response);
+    assert(
+      !response.choices || !response.choices['foo.bar'] || response.choices['foo.bar'].length === 0,
+      'choices for dot-notated non-projected field "foo.bar" must not be exposed publicly'
+    );
+  });
+  it('should still expose choices for non-projected fields to authenticated API users', async function() {
+    apos.thing.options.publicApiProjection = {
+      title: 1,
+      _url: 1
+    };
+    const req = apos.task.getReq();
+    // Simulate a full-API caller: canAccessApi is true, no projection applied
+    const query = apos.thing.find(req).choices([ 'foo' ]);
+    await query.toArray();
+    const choices = query.get('choicesResults');
+    assert(choices);
+    assert(choices.foo);
+    assert(choices.foo.some(c => c.value === 'bar'));
+  });
+  it('should not restrict choices when an authenticated user voluntarily sets a projection', async function() {
+    apos.thing.options.publicApiProjection = {
+      title: 1,
+      _url: 1
+    };
+    const req = apos.task.getReq();
+    // Authenticated user narrows their own query via project() — this is
+    // voluntary and must not block choices for fields outside that projection
+    const query = apos.thing.find(req).project({ title: 1 }).choices([ 'foo' ]);
+    await query.toArray();
+    const choices = query.get('choicesResults');
+    assert(choices);
+    assert(choices.foo);
+    assert(choices.foo.some(c => c.value === 'bar'));
+  });
   it('should not set a "max-age" cache-control value when retrieving pieces, when cache option is not set, with a public API projection', async function() {
     apos.thing.options.publicApiProjection = {
       title: 1,

package/test/pieces.js CHANGED Viewed

@@ -2364,6 +2364,31 @@ describe('Pieces', function() {
         assert.deepEqual(actual, expected);
       });
+      it('should not leak viewPermission-protected fields via ?choices=', async function() {
+        const jar = await t.loginAs(apos, 'editor');
+        const req = apos.task.getReq();
+        const candidate = {
+          ...apos.modules.board.newInstance(),
+          title: 'Icarus',
+          slug: 'icarus',
+          discontinued: 'April 2077'
+        };
+        await apos.modules.board.insert(req, candidate);
+        // Editor does not have 'publish' permission on 'board', so
+        // 'discontinued' (viewPermission: { action: 'publish', type: 'board' })
+        // must not appear in choices
+        const response = await apos.http.get('/api/v1/board?choices=title,discontinued', { jar });
+        assert(response);
+        assert(response.choices);
+        assert(response.choices.title);
+        assert(
+          !response.choices.discontinued || response.choices.discontinued.length === 0,
+          'choices for viewPermission-protected field "discontinued" must not be exposed to editors'
+        );
+      });
       it('should be able to edit fields with editPermission when having appropriate credentials on rest API', async function() {
         const jar = await t.loginAs(apos, 'editor');