Skip to content
This repository has been archived by the owner on Aug 30, 2021. It is now read-only.

Secure fields can be updated throgth profile udpate #1420

Closed
shanavas786 opened this issue Aug 7, 2016 · 0 comments
Closed

Secure fields can be updated throgth profile udpate #1420

shanavas786 opened this issue Aug 7, 2016 · 0 comments

Comments

@shanavas786
Copy link
Contributor

Since profile update only filters out _id and roles fields (see user.profile.server.controller.js), other secure fields like password, salt ..etc can be updated by including those fields in request body. It is a security flaw.
shanavas786 added a commit to shanavas786/mean that referenced this issue Aug 7, 2016
@shanavas786
Fix(users): Don't update secure profile fields
8bfd74a 
Avoid updating secure fields as password, salt ..etc through
user profile update.

Fixes meanjs#1420
@shanavas786 shanavas786 mentioned this issue Aug 7, 2016
Merged
lirantal pushed a commit that referenced this issue Aug 27, 2016
@shanavas786 @lirantal
fix(users): don't update secure profile fields (#1421)
730cca7 
* Fix(users): Don't update secure profile fields

Avoid updating secure fields as password, salt ..etc through
user profile update.

Fixes #1420

* Refactor variable name
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@shanavas786