softDelete fix for double 'get' call is not ideal #163
Comments
|
I believe this situation was introduced by your #160. I see 2 solutions
What are the ramifications of the first approach above? Some hooks could prevent that softDelete is designed to be an all-before hook. I think its unwise to break it up into before & after hooks. |
|
This |
|
I think if some hooks can prevent that get, then it should be prevented. What hooks can prevent it except access controlling hooks? |
|
Fixed in #166 which will be published in v3.2.1. |
|
Now when you call softDelete on users service before all hook, and on client side straight after authentication you try to get the user, this will fail. You can try this error out at my example repo @ https://github.com/3bola/example-feathers-soft-delete-errors |
|
Nice work! |
|
There is one more issue here, i have described it here: #188. |
Resolved issues in softDelete caused by pull #163
softDelete fix #160 have one more issue.
Currently it uses internal users.get result as final result. It's ok except that internal calls are made without hook.params.provider set, making some other hooks to be skipped, like restrictToRoles.
Thus, if restrictToRoles hook is registered after softDelete it will not be called at all, it is a security issue.
Somehow softDelete should call users.get like an external service, could someone give an advice about how to do it?
I see that it can be fixed by adding softDelete as after get hook, and by making softDelete before get hook just pass through with just setting some flag like $disableSoftDelete, but it will brake compatibility, everyone will need to add softDelete to after get hooks, may be there is a way that a hook can use to register after hook by it self?
Btw, current tests does not see that issue.
The text was updated successfully, but these errors were encountered: