1.0.1

CHANGELOG.md

@@ -1,2 +1,5 @@
+# 1.0.1
+* Fix flaw where clients could remove all records, even if `allowRemoveAll` were `false`.
+
 # 1.0.0
 * First release.

analysis_options.yaml

@@ -1,3 +1,4 @@
+include: package:pedantic/analysis_options.yaml
 analyzer:
   strong-mode:
     implicit-casts: false

lib/angel_sembast.dart

@@ -15,7 +15,7 @@ class SembastService extends Service<String, Map<String, dynamic>> {
   final bool allowQuery;
 
   SembastService(this.database,
-      {String store, this.allowRemoveAll: false, this.allowQuery: true})
+      {String store, this.allowRemoveAll = false, this.allowQuery = true})
       : this.store =
             (store == null ? database.mainStore : database.getStore(store)),
         super();
@@ -151,13 +151,17 @@ class SembastService extends Service<String, Map<String, dynamic>> {
   @override
   Future<Map<String, dynamic>> remove(String id,
       [Map<String, dynamic> params]) async {
-    if (id == null ||
-        id == 'null' &&
-            (allowRemoveAll == true ||
+    if (id == null || id == 'null') {
+      // Remove everything...
+      if (!(allowRemoveAll == true ||
           params?.containsKey('provider') != true)) {
+        throw AngelHttpException.forbidden(
+            message: 'Clients are not allowed to delete all items.');
+      } else {
         await store.deleteAll(await store.findKeys(new Finder()));
         return {};
       }
+    }
 
     return database.transaction((txn) async {
       var store = txn.getStore(this.store.name);

pubspec.yaml

@@ -1,7 +1,7 @@
 name: angel_sembast
 description: package:sembast-powered CRUD services for the Angel framework.
 homepage: https://github.com/angel-dart/sembast
-version: 1.0.0
+version: 1.0.1
 author: Tobe O <thosakwe@gmail.com>
 environment:
   sdk: ">=2.0.0-dev <3.0.0"
@@ -11,5 +11,6 @@ dependencies:
 dev_dependencies:
   angel_http_exception: ^1.0.0
   logging:
+  pedantic: ^1.0.0
   test: ^1.0.0
 

test/all_test.dart

@@ -1,4 +1,5 @@
 import 'dart:collection';
+import 'package:angel_framework/angel_framework.dart';
 import 'package:angel_http_exception/angel_http_exception.dart';
 import 'package:angel_sembast/angel_sembast.dart';
 import 'package:sembast/sembast.dart';
@@ -76,6 +77,35 @@ main() async {
     expect(await service.index(), isEmpty);
   });
 
+  test('cannot remove all unless explicitly set', () async {
+    expect(() => service.remove(null, {'provider': Providers.rest}),
+        throwsA(const TypeMatcher<AngelHttpException>()));
+    expect(
+        () => service.remove(null, {'provider': Providers.rest}),
+        throwsA(predicate((x) => x is AngelHttpException && x.statusCode == 403,
+            'throws forbidden')));
+    expect(() => service.remove('null', {'provider': Providers.rest}),
+        throwsA(const TypeMatcher<AngelHttpException>()));
+    expect(
+        () => service.remove('null', {'provider': Providers.rest}),
+        throwsA(predicate((x) => x is AngelHttpException && x.statusCode == 403,
+            'throws forbidden')));
+  });
+
+  test('can remove all on server side', () async {
+    await service.create({'bar': 'baz'});
+    await service.create({'bar': 'baz'});
+    await service.create({'bar': 'baz'});
+    await service.remove(null);
+    expect(await service.index(), isEmpty);
+
+    await service.create({'bar': 'baz'});
+    await service.create({'bar': 'baz'});
+    await service.create({'bar': 'baz'});
+    await service.remove('null');
+    expect(await service.index(), isEmpty);
+  });
+
   test('remove nonexistent', () async {
     expect(() => service.remove('440'),
         throwsA(const TypeMatcher<AngelHttpException>()));