Restrict fields for seneca-standard-query (#227)

Wardormeur · DanielBrierton · commit 5d0f4f9bd32d · 2016-12-05T17:13:56.000Z
* Restrict fields for seneca-standard-query

* typo
diff --git a/service.js b/service.js
@@ -6,6 +6,7 @@ if (process.env.NEW_RELIC_ENABLED === 'true') require('newrelic');
 
 var config = require('./config/config.js')();
 var seneca = require('seneca')(config);
+var _ = require('lodash');
 var store = require('seneca-postgresql-store');
 var log = require('cp-logs-lib')({name: 'cp-users-service', level: 'warn'});
 config.log = log.log;
@@ -70,4 +71,40 @@ require('./migrate-psql-db.js')(function (err) {
   .client({ type: 'web', port: 10304, pin: { role: 'cd-salesforce', cmd: '*' } })
   .client({ type: 'web', port: 10301, pin: 'role:cd-dojos,cmd:*' })
   .client({ type: 'web', port: 10305, pin: {role: 'cd-badges', cmd: '*'} });
+
+  seneca.ready(function () {
+    var escape = require('seneca-postgresql-store/lib/relational-util').escapeStr;
+    ['load', 'list'].forEach(function (cmd) {
+      seneca.wrap('role: entity, cmd: ' + cmd, function filterFields (args, cb) {
+        try {
+          ['limit$', 'skip$'].forEach(function (field) {
+            if (args.q[field] && args.q[field] !== 'NULL' && !/^[0-9]+$/g.test(args.q[field] + '')) {
+              throw new Error('Expect limit$, skip$ to be a number');
+            }
+          });
+          if (args.q.sort$) {
+            if (args.q.sort$ && typeof args.q.sort$ === 'object') {
+              var order = args.q.sort$;
+              _.each(order, function (ascdesc, column) {
+                if (!/^[a-zA-Z0-9_]+$/g.test(column)) {
+                  throw new Error('Unexpect characters in sort$');
+                }
+              });
+            } else {
+              throw new Error('Expect sort$ to be an object');
+            }
+          }
+          if (args.q.fields$) {
+            args.q.fields$.forEach(function (field, index) {
+              args.q.fields$[index] = '\"' + escape(field) + '\"';
+            });
+          }
+          this.prior(args, cb);
+        } catch (err) {
+          // cb to avoid seneca-transport to hang while waiting for timeout error
+          return cb(err);
+        }
+      });
+    });
+  });
 });
