fix(users): fix for users.profile.server.controller.js security (#1338)

* Fix for users.profile.server.controller.js security (#1338) Fixes an issue where if req.body._id was not set to the current user it could potentially log the current user in as another user. Don't use req.body._id when editing user Prevents a user from being logged in as another if edit user form _id is not their own. Fixes #1338
meanjs · Jun 18, 2016 · 2ad422c · 2ad422c
1 parent 239ce61
commit 2ad422c
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/modules/users/server/controllers/users/users.profile.server.controller.js b/modules/users/server/controllers/users/users.profile.server.controller.js
@@ -22,6 +22,9 @@ exports.update = function (req, res) {
   // For security measurement we remove the roles from the req.body object
   delete req.body.roles;
 
+  // For security measurement do not use _id from the req.body object
+  delete req.body._id;
+
   if (user) {
     // Merge existing user
     user = _.extend(user, req.body);