Last active
August 29, 2015 13:56
-
-
Save davidworkman9/9273637 to your computer and use it in GitHub Desktop.
Proposal for how the positional operator could be allowed in untrusted code in Meteor
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function allowedSelector(selector, updateStatement) { | |
| var selectors = []; | |
| var allowed = true; | |
| _.each(Object.keys(selector), function (key) { | |
| var matcher; | |
| if (key !== '_id') { | |
| var parts = key.split('.') | |
| matcher = parts.length > 1 ? new RegExp('^' + escapeRegex(parts[0] + '.$.') + '[A-Za-z]+$') : | |
| new RegExp('^' + escapeRegex(parts[0] + '.$') + '$'); | |
| if (!usesKey(matcher updateStatement)) { | |
| allowed = false; | |
| } | |
| } | |
| }); | |
| return allowed; | |
| function usesKey(matcher, obj) { | |
| var keyUsed = false; | |
| _.each(Object.keys(obj), function (k) { | |
| if (typeof obj[k] === 'object') { | |
| if(usesKey(matcher, obj[k])) { | |
| keyUsed = true; | |
| } | |
| } else if (matcher.test(k)) { | |
| keyUsed = true; | |
| } | |
| }); | |
| return keyUsed; | |
| } | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function update(selector, modifier, options) { | |
| var doc = this.findOne({ _id: selector._id }); | |
| // assuming this is somewhat how allow/deny is done.. | |
| if (doc) { | |
| var deny = false; | |
| _.each(denys, function (d) { | |
| if(d(this.userId, doc, fieldNames, modifier)) | |
| deny = true; | |
| }); | |
| if(!deny) { | |
| var allowed = false; | |
| _.each(allows, function (a) { | |
| if(a(this.userId, doc, fieldNames, modifier))) | |
| allowed = true; | |
| }); | |
| if(allowed) { | |
| this.update(selector, modifier, options); | |
| } | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment