fix inputItems issue

JaneJeon · Oct 19, 2021 · 4160907 · 4160907
1 parent 029faaa
commit 4160907
Show file tree

Hide file tree

Showing 5 changed files with 47 additions and 2 deletions.
diff --git a/src/adapters/base.js b/src/adapters/base.js
@@ -2,6 +2,7 @@ const httpError = require('http-errors')
 const objectDiff = require('../utils/object-diff')
 const merge = require('lodash/merge')
 const unset = require('lodash/unset')
+const deepCopy = require('lodash/cloneDeep')
 
 class ACLInterface {
   constructor(acl, args, defaultAction) {
@@ -57,6 +58,9 @@ class ACLInterface {
     if (!this.authorize) return
     this.items.forEach(item => {
       this.inputItems.forEach(inputItem => {
+        // First, deep clone inputItem so as to not affect it, otherwise shit like createdAt will be stripped away
+        inputItem = deepCopy(inputItem)
+
         // the base inputItems passed by the ORM are already wrapped in model class;
         // however, performing this diff operation causes class information to be lost,
         // so we need to regenerate it by wrapping the diff (which is a plain object) in class

diff --git a/tests/insert.test.js b/tests/insert.test.js
@@ -18,4 +18,12 @@ describe.each(ACLs)('Insert queries (%s)', (library, acl) => {
       User.query().authorize({ id: 4, role: 'user' }).insert({ id: 5 })
     ).rejects.toThrow()
   })
+
+  test('prevents inputItems from being affected', async () => {
+    await User.query().authorize().insert({ id: 3 })
+
+    // Make sure created_at was not stripped away
+    const user = await User.query().findById(3)
+    expect(user.created_at).toBeTruthy()
+  })
 })
diff --git a/tests/patch.test.js b/tests/patch.test.js
@@ -71,4 +71,17 @@ describe.each(ACLs)('Patch queries (%s)', (library, acl) => {
       .patchAndFetchById(1, { metadata: { mutableField: 'hello' } })
       .authorize({ id: 1, role: 'user' }, { id: 1 })
   })
+
+  test('prevent inputItems from being affected', async () => {
+    await User.query()
+      .findById(2)
+      .patch({ metadata: { mutableField: 'hello!' } })
+      .authorize({ id: 2, role: 'user' })
+      .fetchResourceContextFromDB()
+
+    // Make sure created_at was not stripped away
+    const user = await User.query().findById(2)
+    expect(user.created_at).toBeTruthy()
+    expect(user.updated_at).toBeTruthy()
+  })
 })
diff --git a/tests/seeds/20201223004915_users.js b/tests/seeds/20201223004915_users.js
@@ -16,7 +16,8 @@ exports.seed = function (knex) {
             fixedField: 'foo',
             mutableField: 'bar',
             hiddenField: 'super secret'
-          }
+          },
+          created_at: new Date()
         },
         {
           id: 2,
@@ -27,7 +28,8 @@ exports.seed = function (knex) {
             fixedField: 'baz',
             mutableField: '???',
             hiddenField: 'super secret 2: electric boogaloo'
-          }
+          },
+          created_at: new Date()
         }
       ])
     })

diff --git a/tests/update.test.js b/tests/update.test.js
@@ -79,4 +79,22 @@ describe.each(ACLs)('Update queries (%s)', (library, acl) => {
       .authorize({ id: 1, role: 'user' }, { id: 1 })
       .diffInputFromResource()
   })
+
+  test('do not modify inputItems', async () => {
+    // eslint-disable-next-line camelcase
+    const created_at = new Date()
+
+    const user = await User.query()
+      .updateAndFetchById(1, {
+        id: 1,
+        metadata: { mutableField: 'hello' },
+        created_at
+      })
+      .authorize({ id: 1, role: 'user' }, { id: 1 })
+      .diffInputFromResource()
+
+    // eslint-disable-next-line camelcase
+    expect(user.created_at === created_at)
+    expect(user.updated_at).toBeTruthy()
+  })
 })