diff --git a/CHANGELOG.md b/CHANGELOG.md index a6ef7a34..75bfc50c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +# 2.0.0-rc.8 +* Fix `MapService` flaw where clients could remove all records, even if `allowRemoveAll` were `false`. + # 2.0.0-rc.7 * `AnonymousService` can override `readData`. * `Service.map` now overrides `readData`. diff --git a/lib/src/core/map_service.dart b/lib/src/core/map_service.dart index c7d64d8a..1295e61c 100644 --- a/lib/src/core/map_service.dart +++ b/lib/src/core/map_service.dart @@ -145,12 +145,16 @@ class MapService extends Service> { @override Future> remove(String id, [Map params]) { - if (id == null || - id == 'null' && - (allowRemoveAll == true || - params?.containsKey('provider') != true)) { - items.clear(); - return new Future.value({}); + if (id == null || id == 'null') { + // Remove everything... + if (!(allowRemoveAll == true || + params?.containsKey('provider') != true)) { + throw AngelHttpException.forbidden( + message: 'Clients are not allowed to delete all items.'); + } else { + items.clear(); + return new Future.value({}); + } } return read(id, params).then((result) { diff --git a/pubspec.yaml b/pubspec.yaml index 7cce6681..40d8b3dd 100644 --- a/pubspec.yaml +++ b/pubspec.yaml @@ -1,5 +1,5 @@ name: angel_framework -version: 2.0.0-rc.7 +version: 2.0.0-rc.8 description: A high-powered HTTP server with dependency injection, routing and much more. author: Tobe O homepage: https://github.com/angel-dart/angel_framework diff --git a/test/services_test.dart b/test/services_test.dart index 8b881be3..52232a84 100644 --- a/test/services_test.dart +++ b/test/services_test.dart @@ -25,7 +25,7 @@ main() { app = new Angel(reflector: MirrorsReflector()) ..use('/todos', service = new MapService()) ..errorHandler = (e, req, res) { - print('Whoops: ${e.error}'); + if (e.error != null) print('Whoops: ${e.error}'); if (e.stackTrace != null) print(new Chain.forTrace(e.stackTrace).terse); }; @@ -124,5 +124,10 @@ main() { print(json_); expect(json_['text'], equals('Hello, world!')); }); + + test('cannot remove all unless explicitly set', () async { + var response = await client.delete('$url/todos/null'); + expect(response.statusCode, 403); + }); }); }