The Express MDN tutorial here uses the following code to do a validation step
// Validate that the name field is not empty.
body('name', 'Genre name required').isLength({ min: 1 }).trim(),
What I don't get is why trim() is chained after the isLength() validation. Shouldn't it be the other way around, or is it the same semantics either way?
I did try looking around in the express-validator doc for a mention of something like this, but was unsuccessful.
UPDATE
In response to gustavohenke's answer, I think what was confusing me, was that I was seeing two sanitization points as shown in the MDN express tutorial screenshot below:
so when I read the validation doc for express-validator "If you use any of the sanitizers together with validators, the validated value is the sanitized one", I was wondering which sanitization point?
From what I've characterized, however, is that the documentation in the express tutorial (that says sanitizers in the validation step only apply to that validation step and don't mutate the request, and so another sanitizer is needed) is not true anymore. In other words, I think you can do all sanitization and validation in one chain.
To get it clear first: trim is a sanitizer, not a validator, like isLength.
Currently (as of v5.x.x), when you specify both sanitizers and validators in the same chain, sanitizers will always run before validators. If you specify more sanitizers, they will run in the order specified.
It's documented behaviour, but it's quite easy to not see it:
If you use any of the sanitizers together with validators, the validated value is the sanitized one.
This is a point of astonishment for users, as you might have guessed, and it's planned to change on an upcoming major version.
Related
I have my data model already defined and implemented. I can very easily write manually the filter to filter out non-authorized results for the user who sent the query (which would be in the style of: "collection.acl.personId": queryPersonId )
My problem is, where and how should I write this "thing" to be as automatic as possible?
I tried to do it with a custom query and a static method, but did not had any luck on both.
Static method con: I don't want to rewrite all my code to use .then(). I want to keep the current chaining.
Custom query: it simply did not worked, even by following the doc.
Ideal the result would be something like
Model.findWithAcl(filters).lean()
Model.findOneWithAcl(filters).lean()
Note that we are using Typescript. The priority would be to have something working, but having the ability to have a working type would be the second priority right after.
Thanks for any help
Casl mongoose gives a very good way of filtering both results (row level) and fields from collections. Note that it also can be used in the front end.
Great package that works very well with auth0 rights.
https://casl.js.org/v5/en/guide/intro
https://casl.js.org/v5/en/package/casl-mongoose
I recently load several versions of MEANJS (meanjs.org) to understand the file structure better and view the changes.
In 4.0, articles.client.controller.js to be specific they have:
and I'm able to make changes to new Articles there as I appended new fields to the mongoose Schema.
$scope.create = function () {
// Create new Article object
var article = new Articles({
title: this.title,
content: this.content
});
In 4.1, it comes like this.
// Create new Article object
var article = new Articles({
title: this.title,
content: this.content
});
Now with 4.2, I don't see that in articles.client.controller.js,
vm.article = article;
I have my modified Schema version. How to make changes to the creation of a new Articles object? This is a good question for upgrading app from 4.0, 4.1 to 4.2.
It’s changed slightly.
Trying to use the resources directly as was done in version 4 may cause problems where the page is ready but not the resource (Article).
To get around this problem angular uses resolves which which use promises to handle the timing issues.
The important thing to know is that the promise will give you some answer at some point in the future - Just, it may not be the answer you'd like!
Either way, it always tells you once it has the answer - or more correctly once it has resolved.
Angular uses the promises to help out with the timing issues mentioned above. The resolves are keyed to a promise and will only load the controller once the resolve(s)... erm... resolve!
This means we will always have articles when we expect.
Promises, resolves - Let me at'em - Let me at'em!!
The resolves option is used in the updated articles.client.routes. Here we see that articleResolve is keyed to getArticle which isn't a promise itself but is instead a function which returns one (which is just a good!)
If we look at the lines below we can see how we create this promise returning function. It's a function which uses Angular's $stateParams (to inspect the state) and fill in the articleId for the requested article. We get the articles using the injected and familiar Articles service.
In your case you want to know how new articles are created so we must travel a little further into the articles service which has recently been updated.
This is almost the same as the Articles service which you are used to using, however the additional lines add an extra method to this service which allow it to create, or if existing to save the article details.
These lines are how we extend a service in angular and the below implementation basically checks the article to see wether it has the ._id property. This is the string representation of the .id property that all saved mongo db documents get.
It uses this information call the appropriate method.
Finally, back where we began
In the controller we see the earlier created promise key articleResolve used as the second injected argument; As if to say "when you have this articles service resolved use it as this second parameter when I'm injecting the arguments".
When we look at the controller definition, we notice that the corresponding second parameter is named article.
Background: Within any controller this actually points to the scope (or $scope). As convention†, and to make things in angular look like standard JavaScript where we often say var that = this, we create a variable to reference our scope.
Within the controller we attach this article to the scope so that it is accessible in the views via vm.article.
Fin!
† Graze at Papa John's style guide when you get chances and slowly evolve your code style to match it. It will help you avoid traps and as a side effect makes lot of the angular code examples/tutorial more understandable, especially where the authors also follow it.
In our data processing API Controller we have CASE SWITCH sockets according to the POST FIELDS filled in or not filled on the POST FORM by the client.
The question is : what is the easiest way to identify the correct CASE according to posted fields.
Say we have six different fields on the client POST FORM
Counting all possibilities that amounts to a total of 64
In Sails we are looking for the most efficient way to mark every combination in order to switch-case then route each one of them in the API Controller.
Sounds like you want a bitmask. If you are running a version of Node that supports the ES6 binary literals, you can express each combination of possibilities like this:
0b000000 // ===0; all options turned on
0b000001 // ===1; only the last option turned on
0b000010 // ===2; only the second-to-last option turned on
0b000011 // ===3; only the last to options turned on
...
This will allow you to use bitwise operators to pull out just the flags you care about in various situations. It also should be memory efficient. And you can choose to use base 10 integers in your switch statement if that's easier for you for some reason because they are equivalent to the binary literals.
With six fields
"all options turned on" can be marked as 0b111111
and none as 0b000000
I am migrating my grammar from version 3 to 4. I recognize that version 4 has listeners and visitors and I plan to use them, but hope to do the migration piece meal. I want to leave actions intact in my grammar for the time being.
I am using a custom token, and specify it using TokenLabelType in the option section of the grammar. However, the generated code uses a 'match()' method which doesn't get promoted to my custom token, causing the java compilation to fail.
I also noticed the 'start' property of a token is not promoted to the custom token type either.
Is there something else I should do to properly use custom tokens in my code?
If memory serves, Ter posted a design document on the Antlr.org site that outlines the differences between Antlr3 and 4 (cannot seem to find it at the moment).
In any case, make sure your custom token extends org.antlr.v4.runtime.CommonToken. The supported Antlr4 Action attributes are listed here. The start attribute is valid on a parser rule, but not on a token.
Note also that many of the token fields, including start, are protected. There are, however, corresponding getters defined in CommonToken -- start accessed by getStartIndex().
I'm playing around with JaySchema (https://github.com/natesilva/jayschema) for a NodeJS application I'm building using ExpressJS. I was wondering if anyone has created, or knows how to, create custom code that ammends the library to allow "strict" validation... By "strict", I mean that any JSON properties that aren't within the schema itself return an error state for the schema's validation.
If anyone has any insight into this, I'd love to hear from you.
Also, if anyone knows an alternative library (preferably available using NPM) that does offer this option, please let me know.
Thanks!
So after a bit of digging, I figured out the solution.
JaySchema supports JSON Schema's standards (details on JSON Schema Standards Docs found here). Within those standards an "additionalProperties" keyword is defined as exactly what I was looking for (more information found here).
According to the documentation (specifically section 5.4.4.4, and an example in 5.4.4.5), if "additionalProperties" is set to the boolean false, then if properties beyond those defined in the schema are found, validation fails.
Since, as I mentioned above, JaySchema supports this JSON Schema standard, if you add "additionalProperties" at the object level to false, you'll achieve the "strict" validation I was looking for.
If you're interested, you can check out the test I have up on GitHub below:
schema: with "additionalProperty" set to false
test: with an additional property added to cause validation failure