activityoverlord icon indicating copy to clipboard operation
activityoverlord copied to clipboard
verified publisher icon irlnathan

encrypted password is served to user

Open dpsutton opened this issue 10 years ago • 0 comments

I've looked into this, and the toJSON function is not automatically called by sails. What this means is that the user list page http://localhost:1337/user serves all encrypted passwords as does each individual user page. screen shot 2015-08-08 at 1 27 48 am

screen shot 2015-08-08 at 1 28 33 am

All instances of User objects served to a view come with their encrypted password attribute intact.

It appears that the toJSON() method must be called explicitly for each view, as well as on the entire collection for the show controller method. The fix is individually using toJSON on individual views and

index: function (req, res, next) {
    User.find(function foundUsers (err, users) {
        if (err) { return next(err); }
        var cleanUsers = [];
        _.forEach(users, function(user) {
            cleanUsers.push(user.toJSON());
        });
        return res.view({
            users: cleanUsers
        });
    });

dpsutton avatar Aug 08 '15 06:08 dpsutton