Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.
Sign upadapter commons whitelist skips filter items? #1971
Comments
|
I think that it's added by default. |
|
If so then what's the point of the whitelist? We want to disallow $populate from the client except where we explicitly allow it in feathers-mongoose, but not clear when that regressed (it used to work as expected...) |
|
It seems to lead to that change. |
|
|
|
That page explicitly says
The service being called DOES NOT WHITELIST $populate yet it is allowed. This feels like a bug - shouldn't the whitelist check happen before the filter check? |
|
That is correct and indeed does not seem to be the case at the moment. |
Steps to reproduce
First, not sure where adapter-commons is in 4.5.3.
We have a query in the client (using the Feathers client):
What's notable is
myServicedoes NOT whitelist $populate. I've confirmed at no point is it there.I'm confused by this code in
cleanQuery:The code thinks my
$populateis part of the filters, so it sees that we have a filter with this operator and lets it through! What's the point of the operator check if things like $populate are not considered?What does it mean for an operator to be part of the query vs the filter? I had trouble finding docs that explained it and this behavior.
This definitely worked at some point (where it would error out in this scenario).
Expected behavior
I would expect $populate to error in this case because I have not whitelisted it.
Actual behavior
The query succeeds and does the $populate
System configuration
Module versions (especially the part that's not working):
feathers-mongoose 8.3.0
adapter-commons 4.4.3 (because feathers-mongoose 8.3.0 specifies ^4.4.1)
feathersjs 4.5.3
NodeJS version:
12.16.3