npm - monastery - Versions diffs - 1.32.5 → 1.35.0 - Mend

monastery 1.32.5 → 1.35.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

package/lib/model-crud.js CHANGED Viewed

@@ -6,33 +6,32 @@ module.exports = {
     /**
      * Inserts document(s) with monk after validating data & before hooks.
      * @param {object} opts
-     *     @param {object|array} <opts.data> - documents to insert
-     *     @param {array|string|false} <opts.blacklist> - augment schema.insertBL, `false` will remove all blacklisting
+     *     @param {object|array} opts.data - documents to insert
+     *     @param {array|string|false} <opts.blacklist> - augment schema.insertBL, `false` will remove blacklisting
+     *     @param {array|string} <opts.project> - return only these fields, ignores blacklisting
      *     @param {boolean} <opts.respond> - automatically call res.json/error (requires opts.req)
-     *     @param {array|string|false} validateUndefined - validates all 'required' undefined fields, true by
-     *         default, but false on update
      *     @param {array|string|true} <opts.skipValidation> - skip validation for this field name(s)
      *     @param {boolean} <opts.timestamps> - whether `createdAt` and `updatedAt` are automatically inserted
-     *     @param {any} <opts.any> - any mongodb option
+     *     @param {array|string|false} <opts.validateUndefined> - validates all 'required' undefined fields, true by
+     *         default, but false on update
+     *     @param {any} <any mongodb option>
      * @param {function} <cb> - execute cb(err, data) instead of responding
-     * @this model
      * @return promise
+     * @this model
      */
     if (cb && !util.isFunction(cb)) {
       throw new Error(`The callback passed to ${this.name}.insert() is not a function`)
     }
     try {
       opts = await this._queryObject(opts, 'insert')
-      let options = util.omit(opts, [
-        'data', 'insert', 'model', 'respond', 'validateUndefined', 'skipValidation', 'blacklist'
-      ])
+      let custom = ['blacklist', 'data', 'insert', 'model', 'respond', 'skipValidation',  'validateUndefined']
       // Validate
-      let data = await this.validate(opts.data||{}, { ...opts })
+      let data = await this.validate(opts.data || {}, { ...opts })
       // Insert
       await util.runSeries(this.beforeInsert.map(f => f.bind(opts, data)))
-      let response = await this._insert(data, options)
+      let response = await this._insert(data, util.omit(opts, custom))
       await util.runSeries(this.afterInsert.map(f => f.bind(opts, response)))
       // Success/error
@@ -51,56 +50,42 @@ module.exports = {
     /**
      * Finds document(s) with monk, also auto populates
      * @param {object} opts
-     *     @param {object} <opts.query> - mongodb query object
-     *     @param {boolean} <opts.respond> - automatically call res.json/error (requires opts.req)
-     *     @param {array} <opts.populate> - population, see docs
      *     @param {array|string|false} <opts.blacklist> - augment schema.findBL, `false` will remove all blacklisting
+     *     @param {array} <opts.populate> - population, see docs
      *     @param {array|string} <opts.project> - return only these fields, ignores blacklisting
-     *     @param {any} <opts.any> - any mongodb option
+     *     @param {object} <opts.query> - mongodb query object
+     *     @param {boolean} <opts.respond> - automatically call res.json/error (requires opts.req)
+     *     @param {any} <any mongodb option>
      * @param {function} <cb> - execute cb(err, data) instead of responding
-     * @this model
      * @return promise
+     * @this model
      */
     if (cb && !util.isFunction(cb)) {
       throw new Error(`The callback passed to ${this.name}.find() is not a function`)
     }
     try {
       opts = await this._queryObject(opts, 'find', one)
+      let custom = ['blacklist', 'one', 'populate', 'project', 'query', 'respond']
       let lookups = []
-      let options = util.omit(opts, ['blacklist', 'one', 'populate', 'project', 'query', 'respond'])
-      options.addFields = options.addFields || {}
-      // Project, or use blacklisting
-      if (opts.project) {
-        // Can be an inclusion or exclusion projection
-        if (util.isString(opts.project)) {
-          opts.project = opts.project.trim().split(/\s+/)
-        }
-        if (util.isArray(opts.project)) {
-          options.projection = opts.project.reduce((o, v) => {
-            o[v.replace(/^-/, '')] = v.match(/^-/)? 0 : 1
-            return o
-          }, {})
-        }
-      } else {
-        // Calculate the exclusion-projection
-        let blacklistProjection = { ...this.findBLProject }
-        blacklistProjection = this._addDeepBlacklists(blacklistProjection, opts.populate)
-        options.projection = this._addBlacklist(blacklistProjection, opts.blacklist)
-      }
+      // Get projection
+      if (opts.project) opts.projection = this._getProjectionFromProject(opts.project)
+      else opts.projection = this._getProjectionFromBlacklist(opts.type, opts.blacklist)
       // Has text search?
       // if (opts.query.$text) {
-      //   options.projection.score = { $meta: 'textScore' }
-      //   options.sort = { score: { $meta: 'textScore' }}
+      //   opts.projection.score = { $meta: 'textScore' }
+      //   opts.sort = { score: { $meta: 'textScore' }}
       // }
       // Wanting to populate?
       if (!opts.populate) {
-        var response = await this[`_find${opts.one? 'One' : ''}`](opts.query, options)
+        var response = await this[`_find${opts.one? 'One' : ''}`](opts.query, util.omit(opts, custom))
       } else {
         loop: for (let item of opts.populate) {
           let path = util.isObject(item)? item.as : item
           // Blacklisted?
-          if (!this._pathInProjection(path, options.projection, true)) continue loop
+          if (this._pathBlacklisted(path, opts.projection)) continue loop
           // Custom $lookup definition
           // https://thecodebarbarian.com/a-nodejs-perspective-on-mongodb-36-lookup-expr
           if (util.isObject(item)) {
@@ -121,7 +106,7 @@ module.exports = {
               continue
             }
             // Populate model (convert array into document & create lookup)
-            options.addFields[path] = { '$arrayElemAt': [ '$' + path, 0 ] }
+            (opts.addFields = opts.addFields || {})[path] = { '$arrayElemAt': [ '$' + path, 0 ] }
             lookups.push({ $lookup: {
               from: modelName,
               localField: path,
@@ -130,26 +115,26 @@ module.exports = {
             }})
           }
         }
-        // console.log(1, options.projection)
+        // console.log(1, opts.projection)
         // console.log(2, lookups)
         let aggregate = [
           { $match: opts.query },
-          { $sort: options.sort },
-          { $skip: options.skip },
-          ...(options.limit? [{ $limit: options.limit }] : []),
+          { $sort: opts.sort },
+          { $skip: opts.skip },
+          ...(opts.limit? [{ $limit: opts.limit }] : []),
           ...lookups,
-          ...util.isEmpty(options.addFields)? [] : [{ $addFields: options.addFields }],
-          { $project: options.projection }
+          ...(opts.addFields? [{ $addFields: opts.addFields }] : []),
+          ...(opts.projection? [{ $project: opts.projection }] : []),
         ]
         response = await this._aggregate(aggregate)
         this.info('aggregate', JSON.stringify(aggregate))
       }
+      // Returning one?
       if (opts.one && util.isArray(response)) response = response[0]
-      // (Not using) Project works with lookup.
-      // Remove blacklisted properties from joined models, because subpiplines with 'project' are slower
-      // if (opts.populate) this._depreciated_removeBlacklisted(data, opts.populate, options.projection)
-      response = await this._processAfterFind(response, options.projection, opts)
+      // Process afterFind hooks
+      response = await this._processAfterFind(response, opts.projection, opts)
       // Success
       if (cb) cb(null, response)
@@ -167,26 +152,27 @@ module.exports = {
     return this.find(opts, cb, true)
   },
-  // findOneAndUpdate: function(opts, cb) {
-  //   return this._findOneAndUpdate(opts, cb)
-  // },
+  findOneAndUpdate: function(opts, cb) {
+    return this._findOneAndUpdate(opts, cb)
+  },
   update: async function(opts, cb) {
     /**
      * Updates document(s) with monk after validating data & before hooks.
      * @param {object} opts
+     *     @param {object|array} opts.data - mongodb document update object(s)
+     *     @param {array|string|false} <opts.blacklist> - augment schema.updateBL, `false` will remove blacklisting
+     *     @param {array|string} <opts.project> - return only these fields, ignores blacklisting
      *     @param {object} <opts.query> - mongodb query object
-     *     @param {object|array} <opts.data> - mongodb document update object(s)
      *     @param {boolean} <opts.respond> - automatically call res.json/error (requires opts.req)
-     *     @param {array|string|false} validateUndefined - validates all 'required' undefined fields, true by
-     *         default, but false on update
      *     @param {array|string|true} <opts.skipValidation> - skip validation for this field name(s)
      *     @param {boolean} <opts.timestamps> - whether `updatedAt` is automatically updated
-     *     @param {array|string|false} <opts.blacklist> - augment schema.updateBL, `false` will remove all blacklisting
-     *     @param {any} <opts.any> - any mongodb option
+     *     @param {array|string|false} <opts.validateUndefined> - validates all 'required' undefined fields, true by
+     *         default, but false on update
+     *     @param {any} <any mongodb option>
      * @param {function} <cb> - execute cb(err, data) instead of responding
-     * @this model
      * @return promise(data)
+     * @this model
      */
     if (cb && !util.isFunction(cb)) {
       throw new Error(`The callback passed to ${this.name}.update() is not a function`)
@@ -196,7 +182,7 @@ module.exports = {
       let data = opts.data
       let response = null
       let operators = util.pluck(opts, [/^\$/])
-      let options = util.omit(opts, ['data', 'query', 'respond', 'validateUndefined', 'skipValidation', 'blacklist'])
+      let custom = ['blacklist', 'data', 'query', 'respond', 'skipValidation', 'validateUndefined']
       // Validate
       if (util.isDefined(data)) data = await this.validate(opts.data, { ...opts })
@@ -215,7 +201,7 @@ module.exports = {
         operators['$set'] = { ...data, ...(operators['$set'] || {}) }
       }
       // Update
-      let update = await this._update(opts.query, operators, options)
+      let update = await this._update(opts.query, operators, util.omit(opts, custom))
       if (update.n) response = Object.assign(Object.create({ _output: update }), operators['$set']||{})
       // Hook: afterUpdate (doesn't have access to validated data)
@@ -240,22 +226,22 @@ module.exports = {
      *     @param {object} <opts.query> - mongodb query object
      *     @param {boolean} <opts.respond> - automatically call res.json/error (requires opts.req)
      *     @param {boolean=true} <opts.multi> - set to false to limit the deletion to just one document
-     *     @param {any} <opts.any> - any mongodb option
+     *     @param {any} <any mongodb option>
      * @param {function} <cb> - execute cb(err, data) instead of responding
-     * @this model
      * @return promise
+     * @this model
      */
     if (cb && !util.isFunction(cb)) {
       throw new Error(`The callback passed to ${this.name}.remove() is not a function`)
     }
     try {
       opts = await this._queryObject(opts, 'remove')
-      let options = util.omit(opts, ['query', 'respond'])
+      let custom =  ['query', 'respond']
       if (util.isEmpty(opts.query)) throw new Error('Please specify opts.query')
       // Remove
       await util.runSeries(this.beforeRemove.map(f => f.bind(opts)))
-      let response = await this._remove(opts.query, options)
+      let response = await this._remove(opts.query, util.omit(opts, custom))
       await util.runSeries(this.afterRemove.map(f => f.bind(response)))
       // Success
@@ -270,15 +256,124 @@ module.exports = {
     }
   },
+  _getProjectionFromBlacklist: function(type, customBlacklist) {
+    /**
+     * Returns an exclusion projection
+     *
+     * Path collisions are removed
+     * E.g. ['pets.dogs', 'pets.dogs.name', '-cat', 'pets.dogs.age'] = { 'pets.dog': 0 }
+     *
+     * @param {string} type - find, insert, or update
+     * @param {array|string|false} customBlacklist - normally passed through options
+     * @return {array|undefined} exclusion $project {'pets.name': 0}
+     * @this model
+     *
+     * 1. collate deep-blacklists
+     * 2. concatenate the model's blacklist and any custom blacklist
+     * 3. create an exclusion projection object from the blacklist, overriding from left to right
+     */
+    let list = []
+    let manager = this.manager
+    let projection = {}
+    if (customBlacklist === false) return
+    // String?
+    if (typeof customBlacklist === 'string') {
+      customBlacklist = customBlacklist.trim().split(/\s+/)
+    }
+    // Concat deep blacklists
+    if (type == 'find') {
+      util.forEach(this.fieldsFlattened, (schema, path) => {
+        if (!schema.model) return
+        let deepBL = manager.model[schema.model][`${type}BL`] || []
+        let pathWithoutArrays = path.replace(/\.0(\.|$)/, '$1')
+        list = list.concat(deepBL.map(o => {
+          return `${o.charAt(0) == '-'? '-' : ''}${pathWithoutArrays}.${o.replace(/^-/, '')}`
+        }))
+      })
+    }
+    // Concat model, and custom blacklists
+    list = list.concat([...this[`${type}BL`]]).concat(customBlacklist || [])
+    // Loop blacklists
+    for (let _key of list) {
+      let key = _key.replace(/^-/, '')
+      let whitelisted = _key.match(/^-/)
+      // Remove any child fields. E.g remove { user.token: 0 } = key2 if iterating { user: 0 } = key
+      for (let key2 in projection) {
+        // todo: need to write a test, testing that this is scoped to \.
+        if (key2.match(new RegExp('^' + key.replace(/\./g, '\\.') + '(\\.|$)'))) {
+          delete projection[key2]
+        }
+      }
+      // Whitelist
+      if (whitelisted) {
+        projection[key] = 1
+        // Whitelisting a child of a blacklisted field (blacklist expansion)
+        // let parent = '' // highest blacklisted parent
+        // for (let key2 in projection) {
+        //   if (key2.length > parent.length && key.match(new RegExp('^' + key2.replace(/\./g, '\\.')))) {
+        //     parent = key2
+        //   }
+        // }
+      // Blacklist (only if there isn't a parent blacklisted)
+      } else {
+        let parent
+        for (let key2 in projection) { // E.g. [address = key2, addresses.country = key]
+          if (projection[key2] == 0 && key.match(new RegExp('^' + key2.replace(/\./g, '\\.') + '\\.'))) {
+            parent = key2
+          }
+        }
+        if (!parent) projection[key] = 0
+      }
+    }
+    // Remove whitelist projections
+    for (let key in projection) {
+      if (projection[key]) delete projection[key]
+    }
+    return util.isEmpty(projection) ? undefined : projection
+  },
+  _getProjectionFromProject: function(customProject) {
+    /**
+     * Returns an in/exclusion projection
+     * todo: tests
+     *
+     * @param {object|array|string} customProject - normally passed through options
+     * @return {array|undefined} in/exclusion projection {'pets.name': 0}
+     * @this model
+     */
+    let projection
+    if (util.isString(customProject)) {
+      customProject = customProject.trim().split(/\s+/)
+    }
+    if (util.isArray(customProject)) {
+      projection = customProject.reduce((o, v) => {
+        o[v.replace(/^-/, '')] = v.match(/^-/)? 0 : 1
+        return o
+      }, {})
+    }
+    return projection
+  },
   _queryObject: async function(opts, type, one) {
     /**
      * Normalise options
      * @param {MongoId|string|object} opts
      * @param {string} type - operation type
      * @param {boolean} one - return one document
-     * @this model
      * @return {Promise} opts
+     * @this model
      *
+     * Query parsing logic:
      * opts == string|MongodId - treated as an id
      * opts == undefined|null|false - throw error
      * opts.query == string|MongodID - treated as an id
@@ -321,6 +416,7 @@ module.exports = {
     if (!util.isDefined(opts.data) && util.isDefined((opts.req||{}).body)) opts.data = opts.req.body
     if (util.isDefined(opts.data)) opts.data = await util.parseData(opts.data)
+    opts.type = type
     opts[type] = true
     opts.model = this
     return opts
@@ -332,11 +428,12 @@ module.exports = {
      * Recurses through fields that are models and populates missing default-fields and calls model.afterFind([fn,..])
      * Be sure to add any virtual fields to the schema that your populating on,
      * e.g. "nurses": [{ model: 'user' }]
+     *
      * @param {object|array|null} data
      * @param {object} projection - $project object
      * @param {object} afterFindContext - handy context object given to schema.afterFind
-     * @this model
      * @return Promise(data)
+     * @this model
      */
     // Recurse down from the parent model, ending with the parent model as the parent afterFind hook may
     // want to manipulate any populated models
@@ -347,17 +444,18 @@ module.exports = {
     // Loop found model/deep-model data objects, and populate missing default-fields and call afterFind on each
     for (let item of modelData) {
-      // Populuate missing default fields if data !== null
+      // Populate missing default fields if data !== null
       // NOTE: maybe only call functions if default is being set.. fine for now
       if (item.dataRef) {
-        util.forEach(model[item.modelName].defaultFieldsFlattened, (schema, path) => {
+        util.forEach(model[item.modelName].fieldsFlattened, (schema, path) => {
+          if (!util.isDefined(schema.default) || path.match(/^\.?(createdAt|updatedAt)$/)) return
           let parentPath = item.fieldName? item.fieldName + '.' : ''
           let pathWithoutArrays = (parentPath + path).replace(/\.0(\.|$)/, '$1')
-          // Ignore default fields that are excluded in a blacklist/parent-blacklist
-          if (!this._pathInProjection(pathWithoutArrays, projection, true)) return
-          // Ignore default
+          // Ignore default fields that are blacklisted
+          if (this._pathBlacklisted(pathWithoutArrays, projection)) return
+          // console.log(pathWithoutArrays, path, projection)
+          // Set value
           let value = util.isFunction(schema.default)? schema.default(this.manager) : schema.default
-          // console.log(item.dataRef)
           util.setDeepValue(item.dataRef, path.replace(/\.0(\.|$)/g, '.$$$1'), value, true, false, true)
         })
       }
@@ -369,190 +467,34 @@ module.exports = {
     return util.runSeries(callbackSeries).then(() => data)
   },
-  _addDeepBlacklists: function(blacklistProjection, populate) {
-    /**
-     * Include deep-model blacklists into the projection
-     * @param {object} blacklistProject
-     * @param {array} populate - find populate array
-     * @return {object} exclusion blacklist
-     * @this model
-     */
-    let model = this
-    let manager = this.manager
-    let paths = (populate||[]).map(o => o && o.as? o.as : o)
-    if (!paths.length) return blacklistProjection
-    this._recurseFields(model.fields, '', function(path, field) {
-      // Remove array indexes from the path e.g. '0.'
-      path = path.replace(/(\.[0-9]+)(\.|$)/, '$2')
-      if (!field.model || !paths.includes(path)) return
-      loop: for (let prop of manager.model[field.model].findBL) {
-        // Don't include any deep model projection keys that already have a parent specified. E.g if
-        // both { users.secrets: 1 } and { users.secrets.token: 1 } exist, remove the later
-        for (let key in blacklistProjection) {
-          if ((path + '.' + prop).match(new RegExp('^' + key.replace(/\./g, '\\.') + '(\\.|$)'))) {
-            continue loop
-          }
-        }
-        // Add model property to blacklist
-        blacklistProjection[path + '.' + prop] = 0
-      }
-    })
-    return blacklistProjection
-  },
-  _addBlacklist: function(blacklistProjection, blacklist) {
-    /**
-     * Merge blacklist in
-     * @param {object} blacklistProjection
-     * @param {array} paths - e.g. ['password', '-email'] - email will be whitelisted / removed from
-     *   exlcusion projection
-     * @return {object} exclusion blacklist
-     * @this model
-     */
-    if (blacklist === false) {
-      return {}
-    } else if (!blacklist) {
-      return blacklistProjection
-    } else {
-      // Loop blacklist
-      for (let _key of blacklist) {
-        let key = _key.replace(/^-/, '')
-        let negated = _key.match(/^-/)
-        // Remove any deep projection keys that already have a parent specified. E.g if
-        // both { users.secrets: 0 } and { users.secrets.token: 0 } exist, remove the later
-        for (let key2 in blacklistProjection) {
-          if (key2.match(new RegExp('^' + key.replace(/\./g, '\\.') + '(\\.|$)'))) {
-            delete blacklistProjection[key2]
-          }
-        }
-        if (negated) {
-          if (blacklistProjection.hasOwnProperty(key)) delete blacklistProjection[key]
-        } else {
-          blacklistProjection[key] = 0
-        }
-      }
-      return blacklistProjection
-    }
-  },
-  _depreciated_removeBlacklisted: function(data, populate, whitelist) {
+  _pathBlacklisted: function(path, projection, matchDeepWhitelistedKeys=true) {
     /**
-     * Remove blacklisted fields, takes foreign model blacklists into account
-     * @param {object|array} data
-     * @param {array} <populate> find populate list
-     * @param {array} <whitelist>
-     */
-    let findBL = this.findBL
-    let findWL = [ '_id', ...this.findWL ]
-    let model = this.manager.model
-    this._recurseFields(this.fields, '', function(path, field) {
-      // Remove array indexes from the path e.g. '0.'
-      path = path.replace(/(\.[0-9]+)(\.|$)/, '$2')
-      //if (field.type == 'any') findWL.push(path) //exclude.push(path)
-      // Below: Merge in model whitelists (we should cache the results)
-      if (!field.model) return
-      else if (!model[field.model]) return
-      // Has this path been blacklisted already?
-      for (let blacklisted of findBL) {
-        if (blacklisted === path || path.includes(blacklisted + '.', 0)) {
-          return
-        }
-      }
-      // Populating?
-      if ((populate||[]).includes(path)) {
-        // Remove the model-field from the whitelist if populating
-        let parentIndex = findWL.indexOf(path)
-        if (parentIndex !== -1) findWL.splice(parentIndex, 1)
-        // Okay, merge in the model's whitelist
-        findWL.push(path + '.' + '_id')
-        for (let prop of model[field.model].findWL) {
-          // Dont add model properties that are already blacklisted
-          if (findBL.includes(path + '.' + prop)) continue
-          // Add model prop to whitelist
-          findWL.push(path + '.' + prop)
-        }
-      }
-    })
-    // Merge in the passed in whitelist
-    findWL = findWL.concat(whitelist || [])
-    // Fill in missing parents e.g. pets.dog.name, pets.dog doesn't exist
-    // Doesn't matter what order these are added in
-    // for (let whitelisted of findWL) {
-    //   let parents = whitelisted.split('.')
-    //   let target = ''
-    //   for (let parent of parents) {
-    //     if (!findWL.includes(target + parent)) findWL.push(target + parent)
-    //     target = target + parent + '.'
-    //   }
-    // }
-    console.log(1, findWL)
-    console.log(2, data)
-    // "data.cat.colour" needs to add "data.cat"
-    // "data.cat" needs to everything
-    function recurseAndDeleteData(data, path) {
-      // Remove array indexes from the path e.g. '0.'
-      let newpath = path.replace(/(\.[0-9]+)(\.|$)/, '$2')
-      util.forEach(data, function(field, fieldName) {
-        if ((util.isArray(field) || util.isObjectAndNotID(field))/* && !exclude.includes(newpath + fieldName)*/) {
-          if (findWL.includes(newpath + fieldName)) return
-          recurseAndDeleteData(field, newpath + fieldName + '.')
-        } else if (!findWL.includes(newpath + fieldName) && !util.isNumber(fieldName)) {
-          console.log(3, fieldName)
-          delete data[fieldName]
-        }
-      })
-    }
-    for (let doc of util.toArray(data)) {
-      recurseAndDeleteData(doc, '')
-    }
-    return data
-  },
-  _pathInProjection: function(path, projection, matchParentPaths) {
-    /**
-     * Checks if the path is valid within a inclusion/exclusion projection
+     * Checks if the path is blacklisted within a inclusion/exclusion projection
      * @param {string} path - path without array brackets e.g. '.[]'
-     * @param {object} projection
-     * @param {boolean} matchParentPaths - match paths included in a key (inclusive only)
+     * @param {object} projection - inclusion/exclusion projection, not mixed
+     * @param {boolean} matchDeepWhitelistedKeys - match deep whitelisted keys containing path
+     *     E.g. pets.color == pets.color.age
      * @return {boolean}
      */
-    let inc
-    // console.log(path, projection)
     for (let key in projection) {
-      if (projection[key] && matchParentPaths) {
-        // Inclusion
-        // E.g. 'pets.color.age'.match(/^pets.color.age(.|$)/) = match
-        // E.g. 'pets.color.age'.match(/^pets.color(.|$)/) = match
-        // E.g. 'pets.color'.match(/^pets.color.age(.|$)/) = match
-        inc = true
-        if (key.match(new RegExp('^' + path.replace(/\./g, '\\.') + '(\\.|$)'))) return true
-        if (path.match(new RegExp('^' + key.replace(/\./g, '\\.') + '(\\.|$)'))) return true
-      } else if (projection[key]) {
-        // Inclusion (equal to key, or key included in path)
-        // E.g. 'pets.color.age'.match(/^pets.color.age(.|$)/) = match
-        // E.g. 'pets.color.age'.match(/^pets.color(.|$)/) = match
-        // E.g. 'pets.color'.match(/^pets.color.age(.|$)/) = no match
-        inc = true
-        if (path.match(new RegExp('^' + key.replace(/\./g, '\\.') + '(\\.|$)'))) return true
-      } else {
-        // Exclusion
-        // E.g. 'pets.color.age'.match(/^pets.color(.|$)/) = match
+      if (projection[key]) {
+        // Inclusion (whitelisted)
+        // E.g. pets.color.age == pets.color.age  (exact match)
+        // E.g. pets.color.age == pets.color      (path contains key)
+        var inclusion = true
         if (path.match(new RegExp('^' + key.replace(/\./g, '\\.') + '(\\.|$)'))) return false
+        if (matchDeepWhitelistedKeys) {
+          // E.g. pets.color   == pets.color.age  (key contains path)
+          if (key.match(new RegExp('^' + path.replace(/\./g, '\\.') + '\\.'))) return false
+        }
+      } else {
+        // Exclusion (blacklisted)
+        // E.g. pets.color.age == pets.color.age  (exact match)
+        // E.g. pets.color.age == pets.color      (path contains key)
+        if (path.match(new RegExp('^' + key.replace(/\./g, '\\.') + '(\\.|$)'))) return true
       }
     }
-    return inc? false : true
+    return inclusion? true : false
   },
   _recurseAndFindModels: function(fields, dataArr) {
@@ -630,6 +572,6 @@ module.exports = {
         cb(path + fieldName, field)
       }
     }, this)
-  }
+  },
 }