fix: Server error when invalid 'sort' field is passed from an API client (#2000)

2021-03-31 18:54:02 -07:00
parent 2e64972574
commit 2ef0caba88
8 changed files with 34 additions and 4 deletions
--- a/server/api/users.js
+++ b/server/api/users.js
@ -13,9 +13,15 @@ const { authorize } = policy;
 const router = new Router();

 router.post("users.list", auth(), pagination(), async (ctx) => {
-  const { sort = "createdAt", query, includeSuspended = false } = ctx.body;
-  let direction = ctx.body.direction;
+  let {
+    sort = "createdAt",
+    query,
+    direction,
+    includeSuspended = false,
+  } = ctx.body;
  if (direction !== "ASC") direction = "DESC";
+  ctx.assertSort(sort, User);
+
  const user = ctx.state.user;

  let where = {