Skip to content
This repository was archived by the owner on Dec 14, 2023. It is now read-only.

Commit b9be827

Browse files
dberesforddberesford
committed
Defensive fixes around args.user.id
1 parent 3e47113 commit b9be827

File tree

1 file changed

+25
-16
lines changed

1 file changed

+25
-16
lines changed

profiles.js

Lines changed: 25 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -148,8 +148,9 @@ module.exports = function (options) {
148148
function saveProfile (done) {
149149
var profileKeys = _.keys(profile);
150150
var missingKeys = _.difference(requiredProfileFields, profileKeys);
151+
var userId = args.user ? args.user.id : null;
151152
if (_.isEmpty(missingKeys)) profile.requiredFieldsComplete = true;
152-
if (args.user.id !== profile.userId) return done(null, new Error('Profiles can only be saved by the profile user.'));
153+
if (userId !== profile.userId) return done(null, new Error('Profiles can only be saved by the profile user.'));
153154
if (profile.id) {
154155
profile = _.omit(profile, immutableFields);
155156
}
@@ -235,8 +236,9 @@ module.exports = function (options) {
235236

236237
function cmd_save_youth_profile (args, done) {
237238
var profile = args.profile;
239+
var userId = args.user ? args.user.id : null;
238240
profile.parents = [];
239-
profile.parents.push(args.user.id);
241+
profile.parents.push(userId);
240242

241243
if (profile.id) {
242244
profile = _.omit(profile, immutableFields);
@@ -270,8 +272,8 @@ module.exports = function (options) {
270272
profile.userType = data && data.user && data.user.initUserType && data.user.initUserType.name;
271273

272274
profile = _.omit(profile, ['userTypes', 'password']);
273-
274-
saveChild(profile, args.user.id, done);
275+
var userId = args.user ? args.user.id : null;
276+
saveChild(profile, userId, done);
275277
});
276278
}
277279

@@ -326,7 +328,8 @@ module.exports = function (options) {
326328
}
327329

328330
function cmd_update_youth (args, done) {
329-
if (!_.contains(args.profile.parents, args.user.id)) {
331+
var userId = args.user ? args.user.id : null;
332+
if (!_.contains(args.profile.parents, userId)) {
330333
return done(new Error('Not authorized to update profile'));
331334
}
332335
var profile = args.profile;
@@ -476,8 +479,9 @@ module.exports = function (options) {
476479
}
477480

478481
function addFlags (profile, done) {
479-
profile.ownProfileFlag = profile && profile.userId === args.user.id;
480-
profile.myChild = _.contains(profile.parents, args.user.id);
482+
var userId = args.user ? args.user.id : null;
483+
profile.ownProfileFlag = profile && profile.userId === userId;
484+
profile.myChild = _.contains(profile.parents, userId);
481485
profile.isTicketingAdmin = _.find(profile.userPermissions, function (profileUserPermission) {
482486
return profileUserPermission.name === 'ticketing-admin';
483487
});
@@ -488,13 +492,13 @@ module.exports = function (options) {
488492
seneca.act({role: 'cd-users', cmd: 'load_champions_for_user', userId: profile.userId}, function (err, champions) {
489493
if (err) return done(err);
490494
profile.requestingUserIsChampion = _.find(champions, function (champion) {
491-
return champion.id === args.user.id;
495+
return champion.id === args.user ? args.user.id : null;
492496
});
493497

494498
seneca.act({role: 'cd-users', cmd: 'load_dojo_admins_for_user', userId: profile.userId, user: args.user}, function (err, dojoAdmins) {
495499
if (err) return done(err);
496500
profile.requestingUserIsDojoAdmin = _.find(dojoAdmins, function (dojoAdmin) {
497-
return dojoAdmin.id === args.user.id;
501+
return dojoAdmin.id === args.user ? args.user.id: null;
498502
});
499503

500504
var allowedFields = [];
@@ -568,7 +572,8 @@ module.exports = function (options) {
568572

569573
function under13Filter (profile, done) {
570574
// Ensure that only parents of children can retrieve their full public profile
571-
if (_.contains(profile.userTypes, 'attendee-u13') && !_.contains(profile.parents, args.user.id) && !profile.requestingUserIsChampion && !profile.requestingUserIsDojoAdmin) {
575+
var userId = args.user ? args.user.id : null;
576+
if (_.contains(profile.userTypes, 'attendee-u13') && !_.contains(profile.parents, userId) && !profile.requestingUserIsChampion && !profile.requestingUserIsDojoAdmin) {
572577
profile = {};
573578
return done(null, profile);
574579
}
@@ -727,7 +732,7 @@ module.exports = function (options) {
727732
var data = args.data;
728733
var inviteTokenId = data.inviteToken;
729734
var childProfileId = data.childProfileId;
730-
var requestingUserId = args.user.id;
735+
var requestingUserId = args.user ? args.user.id : null;
731736

732737
async.waterfall([
733738
validateRequestingUserIsParent,
@@ -1027,17 +1032,19 @@ module.exports = function (options) {
10271032
seneca.act({role: plugin, cmd: 'list', query: {email: ninjaEmail}}, function (err, ninjaProfiles) {
10281033
if (err) return done(err);
10291034
var ninjaProfile = ninjaProfiles[0];
1030-
if (ninjaProfile && _.contains(ninjaProfile.parents, args.user.id)) return done(new Error('User is already a parent of this Ninja'));
1035+
var userId = args.user ? args.user.id : null;
1036+
if (ninjaProfile && _.contains(ninjaProfile.parents, userId)) return done(new Error('User is already a parent of this Ninja'));
10311037
return done();
10321038
});
10331039
}
10341040

10351041
function validateRequestingUserIsParent (done) {
1036-
seneca.act({role: 'cd-dojos', cmd: 'load_usersdojos', query: {userId: args.user.id}}, function (err, usersDojos) {
1042+
var userId = args.user ? args.user.id : null;
1043+
seneca.act({role: 'cd-dojos', cmd: 'load_usersdojos', query: {userId: userId}}, function (err, usersDojos) {
10371044
if (err) return done(err);
10381045
if (_.isEmpty(usersDojos)) {
10391046
// Not yet a member of any Dojo, check the user type in their profile.
1040-
seneca.act({role: plugin, cmd: 'list'}, {query: {userId: args.user.id}}, function (err, parentProfiles) {
1047+
seneca.act({role: plugin, cmd: 'list'}, {query: {userId: userId}}, function (err, parentProfiles) {
10411048
if (err) return done(err);
10421049
var parentProfile = parentProfiles[0];
10431050
if (parentProfile.userType === 'parent-guardian') return done();
@@ -1075,7 +1082,8 @@ module.exports = function (options) {
10751082
}
10761083

10771084
function loadParentProfile (validationResponse, done) {
1078-
seneca.act({role: plugin, cmd: 'list'}, {query: {userId: args.user.id}}, done);
1085+
var userId = args.user ? args.user.id : null;
1086+
seneca.act({role: plugin, cmd: 'list'}, {query: {userId: userId}}, done);
10791087
}
10801088

10811089
function addTokenToParentProfile (parentProfiles, done) {
@@ -1137,7 +1145,8 @@ module.exports = function (options) {
11371145
return ninjaInvite.id === inviteData.inviteTokenId;
11381146
});
11391147
if (!inviteTokenFound) return done(new Error('Invalid token'));
1140-
seneca.act({role: plugin, cmd: 'list', query: {userId: args.user.id}}, function (err, ninjaProfiles) {
1148+
var userId = args.user ? args.user.id : null;
1149+
seneca.act({role: plugin, cmd: 'list', query: {userId: userId}}, function (err, ninjaProfiles) {
11411150
if (err) return done(err);
11421151
ninjaProfile = ninjaProfiles[0];
11431152
if (ninjaProfile.email !== inviteTokenFound.ninjaEmail) return done(new Error('You cannot approve invite Ninja requests for other users.'));

0 commit comments

Comments
 (0)