moleculer-db icon indicating copy to clipboard operation
moleculer-db copied to clipboard

Published 20 hours ago verified publisher icon moleculerjs

Apply entity validator with `update` action

Open mikaelkundert opened this issue 4 years ago • 2 comments

Currently entity validator seems to be applied on create and insert actions which is good.

Problem / motivation

Client is not able to create entity without passing validation rules, but if one has access to update action too, client can bypass validation by first operating with create action and then use update.

update action does not currently apply entity validation. For example fields that must be at least 8 characters can be now made shorter through update action.

Suggested solution

Since update action can be used for partial field updates, it might be ideal to apply validation only on fields that are present in the operation.

Additional things to consider

I'm not sure what is the standard method for a operation of removing a field value. If one uses update with certain field being specificly to be removed, it might be interesting to figure out how to handle validation in such cases.

mikaelkundert avatar Apr 18 '20 13:04 mikaelkundert

+

I have exactly the same problem. In addition, the mongoose adapter does not use mongoose validation when updating an entity. So I have to redefine update action:

update: {
  rest: 'PATCH /:id',
  params: {
    id: { type: 'any' },
    name: { type: 'string', empty: false, optional: true }
   },
   handler(ctx) {
     return this._update(ctx, ctx.params);
   }
}

safer-bwd avatar Apr 20 '20 12:04 safer-bwd

I think for this purposes we can use beforeEntityUpdate, as example

async beforeEntityUpdate(entity, ctx) {
       this.validateEntity(entity)
        return entity;
    },

westtrade avatar Jul 24 '23 19:07 westtrade