Description
I have a model with a payment ID, and when I do a GET request it returns the blacklisted item
WorkOrder.create({
id: 1,
requestedDate: new Date(),
user: user[0],
product: product[0],
paid: true,
paymentID: 'abcd12'
})
When I do a simple get call to /workOrder/1
it('should not return the paymentID to the registered user', function(){
return request
.get('/workOrder/1')
.expect(200)
.then(function(res){
console.log(res.body)
return expect(res.body.paymentID).to.equal(undefined)
})
})
It returns the paymentID with the payload
{ user: 322,
product: 733,
id: 1,
requestedDate: '2016-11-06T15:04:41.174Z',
paid: true,
paymentID: 'abcd12',
createdAt: '2016-11-06T15:04:41.179Z',
updatedAt: '2016-11-06T15:04:41.179Z' }
even though in bootstrap.js I have
ok = ok.then(function(){
return PermissionService.grant({
role: 'registered',
model: 'WorkOrder',
action: 'read',
criteria: {blacklist: ['paymentID']}
})
})
and in criteria
sails> Criteria.find({}).then(function(r) {console.log(r)})
Promise {
_bitField: 0,
_fulfillmentHandler0: undefined,
_rejectionHandler0: undefined,
_promise0: undefined,
_receiver0: undefined }
sails> [
{ permission: 11953,
blacklist: [ 'paymentID' ],
createdAt: '2016-11-06T15:11:52.648Z',
updatedAt: '2016-11-06T15:11:52.648Z',
id: 46 } ]
and in permissions
sails> Permission.find({id: 11953}).populate('model').populate('role').then(function(r){console.log(r)})
Promise {
_bitField: 0,
_fulfillmentHandler0: undefined,
_rejectionHandler0: undefined,
_promise0: undefined,
_receiver0: undefined }
sails> [ { model:
{ name: 'WorkOrder',
identity: 'workorder',
attributes:
...
id: 2029 },
role:
{ name: 'registered',
active: true,
createdAt: '2016-11-06T15:11:51.522Z',
updatedAt: '2016-11-06T15:11:51.522Z',
id: 572 },
action: 'read',
relation: 'role',
createdAt: '2016-11-06T15:11:52.640Z',
updatedAt: '2016-11-06T15:11:52.642Z',
id: 11953 } ]