Fix update request did not go through global polciies

dynamiccast · dynamiccast · commit 8c268a1cdaad · 2016-08-11T13:19:33.000+02:00
diff --git a/README.md b/README.md
@@ -17,6 +17,7 @@ npm install --save sails-json-api-blueprints
 ````
 
 Please note the following :
+- Default policies (`'*': 'somePolicy'`) will not work by default for update requests. See *Usage:Policies are not applied on custom actions for updates (PATCH method)* for details on how to fix it.
 - Being a set of blueprints this only works if `sails.config.blueprints.rest` is set to true (is it by default)
 - `sails.config.blueprints.pluralize` will be set to true to match the JSON API specification
 - Default responses will be overridden to respond with valid JSON API errors
@@ -47,6 +48,29 @@ As shown in [tests/dummy/api/controllers/UserController.js:24](https://github.co
 - `destroyOneRecord` DELETE /{model}
 - `updateOneRecord` PATCH /{model}/{id}
 
+## Policies are not applied on custom actions for updates (PATCH method)
+
+By default, due to the fact updates are handled with PUT methods and not PATCH methods in sails, *sails-json-api-blueprints* have to inject a route redirecting all incoming PATCH request to the update action. This is transparent for the user, but this means requests do no go though default policies if any.
+
+To fix this, create a new route in `config/routes.js`:
+
+````
+'PATCH /api/:model/:id': {
+  controller: 'App', // replace with an actual controller
+  action: 'update' // This can be any name
+}
+````
+
+Then in `AppController.js`, add the following `update` method:
+
+````
+update: function(req, res) {
+  return JsonApiService.updateMethod(req, res);
+}
+````
+
+This way you are guaranteed incoming requests go through default policies before being redirected to the update blueprint.
+
 ## Data validation
 
 This module is compatible with default Sails.js waterline validations and *sails-hook-validation*. It will produce a JSON API error compliant object.
diff --git a/lib/api/services/JsonApiService.js b/lib/api/services/JsonApiService.js
@@ -142,6 +142,27 @@ module.exports = {
     return converted;
   },
 
+  /*
+   * Function to call to process a generic PATCH request
+   *
+   * @param {Object} Sails request object
+   * @param {Object} Sails response object
+   */
+  updateMethod: function(req, res) {
+    let id = req.allParams()['id'];
+    let model = pluralize.singular(req.param('model'));
+
+    req.options.controller = model;
+    req.options.model = model;
+
+    if (sails.controllers[model].update !== undefined) {
+      return sails.controllers[model].update(req, res);
+    } else {
+      req.body = JsonApiService.deserialize(req.body);
+      return JsonApiService.updateOneRecord(req, res);
+    }
+  },
+
   deserialize: function(data) {
 
     var caseSetting = this.getAttributesDeserializedCaseSetting();
diff --git a/lib/hook.js b/lib/hook.js
@@ -62,18 +62,7 @@ module.exports = function(sails) {
     path = 'PATCH /:model/:id';
   }
   patchRoute[path] = function(req, res) {
-    let id = req.allParams()['id'];
-    let model = pluralize.singular(req.param('model'));
-
-    req.options.controller = model;
-    req.options.model = model;
-
-    if (sails.controllers[model].update !== undefined) {
-      return sails.controllers[model].update(req, res);
-    } else {
-      req.body = JsonApiService.deserialize(req.body);
-      return BlueprintController.update(req, res);
-    }
+    return JsonApiService.updateMethod(req, res);
   };
 
   /**
