-
Notifications
You must be signed in to change notification settings - Fork 88
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Using fastJoin with Mongoose lean:false #490
Comments
All common hooks, and the documentation, assume a disabled ORM, that is lean:true for Mongoose. You have to work around the the ORM otherwise, as you did. Please feel free to comment or even to reopen this issue. |
I've reopened the issue as information for others who may run into this issue. |
Upon debugging a separate issue, I've found that this is also the case with Due to the common nature of the use case of hooks like discard (passwords), I feel like this is a rather large security vulnerability for those that unknowingly use Alternatively this is a feathersjs or feathers-mongoose issue, idk, but it wouldn't be that hard to code against though. |
Feathers assumes lean: true is being used. You yourself have to handle any ramifications if you do otherwise. |
I spent quite a few hours looking into this, and after giving up, found the cause of the bug on accident.
Not sure if this affects more than just
fastJoin
.Steps to reproduce
Say we have a
posts
mongoose service, that for one reason or another, lean is disabled:and in the hooks we add a
fastjoin
: (in this case, populating the field "author" with the createdBy user)Expected behavior
The client should receive a posts object with an "author" field.
Actual behavior
The client does not receive a posts object with an "author" field.
This is because modifying the mongoose Model object will not stick when toObject is called before sending. What should be given to the resolvers is either the object returned from toObject, or the _doc field of the Model.
i.e. this will fix the issue:
The text was updated successfully, but these errors were encountered: