Fix allow rule to allow users to update their profile (broken in 0.5.…

…8 release). Fixes meteor#809.
pstuart2 · Mar 14, 2013 · 000842d · 000842d
1 parent dcb26e1
commit 000842d
Show file tree

Hide file tree

Showing 2 changed files with 49 additions and 6 deletions.
diff --git a/packages/accounts-base/accounts_server.js b/packages/accounts-base/accounts_server.js
@@ -319,13  319,8 @@
   Meteor.users.allow({
     // clients can modify the profile field of their own document, and
     // nothing else.
-    update: function (userId, docs, fields, modifier) {
-      // if there is more than one doc, at least one of them isn't our
-      // user record.
-      if (docs.length !== 1)
-        return false;
     update: function (userId, user, fields, modifier) {
       // make sure it is our record
-      var user = docs[0];
       if (user._id !== userId)
         return false;
 

diff --git a/packages/accounts-password/password_tests.js b/packages/accounts-password/password_tests.js
@@ -23,6  23,7 @@ if (Meteor.isClient) (function () {
   // the test so when we use the 'debug' link in the tests, they get new
   // values and the tests don't fail.
   var username, username2, username3;
   var userId1, userId3;
   var email;
   var password, password2, password3;
 
@@ -42,6  43,10 @@ if (Meteor.isClient) (function () {
         {username: username, email: email, password: password},
         loggedInAs(username, test, expect));
     },
     function (test, expect) {
       userId1 = Meteor.userId();
       test.notEqual(userId1, null);
     },
     logoutStep,
     function (test, expect) {
       Meteor.loginWithPassword(username, password,
@@ -191,7  196,50 @@ if (Meteor.isClient) (function () {
         test.equal(err, undefined);
       }));
     },
     // test the default Meteor.users allow rule. This test properly belongs in
     // accounts-base/accounts_tests.js, but this is where the tests that
     // actually log in are.
     function(test, expect) {
       userId3 = Meteor.userId();
       test.notEqual(userId3, null);
       // Can't update fields other than profile.
       Meteor.users.update(
         userId3, {$set: {disallowed: true, 'profile.updated': 42}},
         expect(function (err) {
           test.isTrue(err);
           test.equal(err.error, 403);
           test.isFalse(_.has(Meteor.user(), 'disallowed'));
           test.isFalse(_.has(Meteor.user().profile, 'updated'));
         }));
     },
     function(test, expect) {
       // Can't update another user.
       Meteor.users.update(
         userId1, {$set: {'profile.updated': 42}},
         expect(function (err) {
           test.isTrue(err);
           test.equal(err.error, 403);
         }));
     },
     function(test, expect) {
       // Can't update using a non-ID selector. (This one is thrown client-side.)
       test.throws(function () {
         Meteor.users.update(
           {username: username3}, {$set: {'profile.updated': 42}});
       });
       test.isFalse(_.has(Meteor.user().profile, 'updated'));
     },
     function(test, expect) {
       // Can update own profile using ID.
       Meteor.users.update(
         userId3, {$set: {'profile.updated': 42}},
         expect(function (err) {
           test.isFalse(err);
           test.equal(42, Meteor.user().profile.updated);
         }));
     },
     function(test, expect) {
       // Test that even with no published fields, we still have a document.
       Meteor.call('clearUsernameAndProfile', expect(function() {
         test.isTrue(Meteor.userId());
         var user = Meteor.user();