Sails-Protect-Blueprints.md

I am keeping this as a reference to balderdashy/sails#352

Working with SailsJS v0.10-rc5: I am trying to keep the magic of blueprint controllers while at the same time protecting some model attributes from being changed by users on the default routes. I.e.: prevent access to the is_admin attribute on regular CRUD routes and implement a promote action or something similar on the UserController which makes the neccessary checks.

In order to do this, I came up with the following policy in combination with a small addition to the model definitions:

// file: api/policies/protectedAttributes.js

/**
 * protectedAttributes
 *
 * @module      :: Policy
 * @description :: Simple policy to protect certain attributes as returned by Model.protectedAttributes()
 * @docs        :: http://sailsjs.org/#!documentation/policies
 *
 */

var actionUtil = require( '../../node_modules/sails/lib/hooks/blueprints/actionUtil' );

module.exports = function ( req, res, next ) {

	var Model = actionUtil.parseModel( req );

	if ( Model.protectedAttributes ) {
		var attributes = Model.protectedAttributes();
		_.each( attributes, function ( attr ) {
			if ( req.params && req.params.hasOwnProperty( attr ) ) {
				delete req.params[ attr ];
			}
			if ( req.query && req.query.hasOwnProperty( attr ) ) {
				delete req.query[ attr ];
			}
			if ( req.body && req.body.hasOwnProperty( attr ) ) {
				delete req.body[ attr ];
			}

		} );
	}
	return next();
};

Inside a model I add the following function as a class method:

protectedAttributes: function () {
	return [ "is_admin", "email_verified" ];
},

So whenever I enable this policy on a route it reads the protected attributes and simply deletes all matching parameters from the request. The solution still feels a bit crude to me, but I get the behavior I want out of it. Any thoughts?

Cheers! Marcus

hussainb/Sails-Protect-Blueprints.md