feat: don't allow getting user details fields for invites

Author: maxceem

src/routes/projectMemberInvites/create.js

@@ -12,6 +12,8 @@ import { PROJECT_MEMBER_ROLE, PROJECT_MEMBER_MANAGER_ROLES,
   MAX_PARALLEL_REQUEST_QTY, CONNECT_NOTIFICATION_EVENT } from '../../constants';
 import { createEvent } from '../../services/busApi';
 
+const ALLOWED_FIELDS = _.keys(models.ProjectMemberInvite.rawAttributes).concat(['handle']);
+
 /**
  * API to create member invite to project.
  *
@@ -24,6 +26,9 @@ const addMemberValidations = {
     emails: Joi.array().items(Joi.string().email()).optional().min(1),
     role: Joi.any().valid(_.values(PROJECT_MEMBER_ROLE)).required(),
   }).required(),
+  query: {
+    fields: Joi.string().optional(),
+  },
 };
 
 /**
@@ -234,6 +239,14 @@ module.exports = [
     // let us request user fields during creating, probably this should be move to GET by ID endpoint instead
     const fields = req.query.fields ? req.query.fields.split(',') : null;
 
+    try {
+      util.validateFields(fields, ALLOWED_FIELDS);
+    } catch (validationError) {
+      const err = new Error(`"fields" is not valid: ${validationError.message}`);
+      err.status = 400;
+      return next(err);
+    }
+
     if (!invite.userIds && !invite.emails) {
       const err = new Error('Either userIds or emails are required');
       err.status = 400;

src/routes/projectMemberInvites/get.js

@@ -7,6 +7,8 @@ import { middleware as tcMiddleware } from 'tc-core-library-js';
 import models from '../../models';
 import util from '../../util';
 
+const ALLOWED_FIELDS = _.keys(models.ProjectMemberInvite.rawAttributes).concat(['handle']);
+
 /**
  * API to update invite member to project.
  *
@@ -28,7 +30,15 @@ module.exports = [
     const email = req.authUser.email;
     const fields = req.query.fields ? req.query.fields.split(',') : null;
 
-    util.fetchByIdFromES('invites', {
+    try {
+      util.validateFields(fields, ALLOWED_FIELDS);
+    } catch (validationError) {
+      const err = new Error(`"fields" is not valid: ${validationError.message}`);
+      err.status = 400;
+      return next(err);
+    }
+
+    return util.fetchByIdFromES('invites', {
       query: {
         nested: {
           path: 'invites',

src/routes/projectMemberInvites/list.js

@@ -7,6 +7,8 @@ import { middleware as tcMiddleware } from 'tc-core-library-js';
 import models from '../../models';
 import util from '../../util';
 
+const ALLOWED_FIELDS = _.keys(models.ProjectMemberInvite.rawAttributes).concat(['handle']);
+
 /**
  * API to update invite member to project.
  *
@@ -26,7 +28,15 @@ module.exports = [
     const projectId = _.parseInt(req.params.projectId);
     const fields = req.query.fields ? req.query.fields.split(',') : null;
 
-    util.fetchByIdFromES('invites', {
+    try {
+      util.validateFields(fields, ALLOWED_FIELDS);
+    } catch (validationError) {
+      const err = new Error(`"fields" is not valid: ${validationError.message}`);
+      err.status = 400;
+      return next(err);
+    }
+
+    return util.fetchByIdFromES('invites', {
       query: {
         nested: {
           path: 'invites',

src/util.js

@@ -1200,6 +1200,29 @@ _.assignIn(util, {
 
     return markupKey ? _.includes(_.values(ESTIMATION_TYPE), markupKey) : false;
   },
+
+  /**
+   * Validate if `fields` list has only allowed values from `allowedFields` or throws error.
+   *
+   * @param {Array} fields        fields to validate
+   * @param {Array} allowedFields allowed fields
+   *
+   * @throws {Error}
+   * @returns {void}
+   */
+  validateFields: (fields, allowedFields) => {
+    if (!allowedFields) {
+      throw new Error('List of "allowedFields" has to be provided.');
+    }
+
+    const disallowedFields = _.difference(fields, allowedFields);
+
+    if (disallowedFields.length > 0) {
+      const disallowedFieldsString = disallowedFields.map(field => `"${field}"`).join(', ');
+
+      throw new Error(`values ${disallowedFieldsString} are not allowed`);
+    }
+  },
 });
 
 export default util;