This repository has been archived by the owner on Jan 3, 2023. It is now read-only.

Hardening user service hooks #92

Closed

daffl opened this issue Mar 24, 2016 · 1 comment

Member

daffl commented Mar 24, 2016

When generating the hooks for a user service instead of having all the special cases in https://github.com/feathersjs/generator-feathers/blob/master/generators/service/templates/hooks.js it would probably make sense to create a separate user-hooks.js file specifically for the user service.

It should also add all the hooks necessary to properly harden the endpoint:

Users can only find themselves
Users can only get themselves (even if you know another user's id)
Users can only update and patch themselves and not remove anything

The text was updated successfully, but these errors were encountered:

Member

ekryski commented Mar 30, 2016

I started implementing this using the new auth hooks. I agree but there are two things I think we should do differently:

We shouldn't limit find in any on the user service. That is up to the developer and will be application specific. For example, pretty common to want to list out users.
Users should be able to remove themselves. I think that is a good starting point. I think anything beyond this, like preventing deletion, soft delete, cascading removal, etc. becomes application specific and isn't our concern.

ekryski closed this as completed in

9c68594

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.