Bump to 2.0.0-rc.8 (patch remove all)

2019-04-20 15:04:59 -04:00 · 2019-04-20 15:04:59 -04:00 · 3202329490
commit 3202329490
parent 5e1004f7a8
4 changed files with 20 additions and 8 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,3 +1,6 @@
+# 2.0.0-rc.8
+* Fix `MapService` flaw where clients could remove all records, even if `allowRemoveAll` were `false`.
+
 # 2.0.0-rc.7
 * `AnonymousService` can override `readData`.
 * `Service.map` now overrides `readData`.
--- a/lib/src/core/map_service.dart
+++ b/lib/src/core/map_service.dart
@ -145,12 +145,16 @@ class MapService extends Service<String, Map<String, dynamic>> {
  @override
  Future<Map<String, dynamic>> remove(String id,
      [Map<String, dynamic> params]) {
-    if (id == null ||
-        id == 'null' &&
-            (allowRemoveAll == true ||
-                params?.containsKey('provider') != true)) {
-      items.clear();
-      return new Future.value({});
+    if (id == null || id == 'null') {
+      // Remove everything...
+      if (!(allowRemoveAll == true ||
+          params?.containsKey('provider') != true)) {
+        throw AngelHttpException.forbidden(
+            message: 'Clients are not allowed to delete all items.');
+      } else {
+        items.clear();
+        return new Future.value({});
+      }
    }

    return read(id, params).then((result) {
--- a/pubspec.yaml
+++ b/pubspec.yaml
@ -1,5 +1,5 @@
 name: angel_framework
-version: 2.0.0-rc.7
+version: 2.0.0-rc.8
 description: A high-powered HTTP server with dependency injection, routing and much more.
 author: Tobe O <thosakwe@gmail.com>
 homepage: https://github.com/angel-dart/angel_framework
--- a/test/services_test.dart
+++ b/test/services_test.dart
@ -25,7 +25,7 @@ main() {
    app = new Angel(reflector: MirrorsReflector())
      ..use('/todos', service = new MapService())
      ..errorHandler = (e, req, res) {
-        print('Whoops: ${e.error}');
+        if (e.error != null) print('Whoops: ${e.error}');
        if (e.stackTrace != null) print(new Chain.forTrace(e.stackTrace).terse);
      };

@ -124,5 +124,10 @@ main() {
      print(json_);
      expect(json_['text'], equals('Hello, world!'));
    });
+
+    test('cannot remove all unless explicitly set', () async {
+      var response = await client.delete('$url/todos/null');
+      expect(response.statusCode, 403);
+    });
  });
 }