Merge pull request #5516 from sushantdhiman/fix-4091

Fix DELETE WHERE 1=1 when complex objects passed in options.where to destroy or update

lib/model.js

@@ -2285,6 +2285,10 @@ Model.prototype.destroy = function(options) {
     throw new Error('Missing where or truncate attribute in the options parameter of model.destroy.');
     throw new Error('Missing where or truncate attribute in the options parameter of model.destroy.');
   }
   }
 
 
+  if (!options.truncate && !_.isPlainObject(options.where) && !_.isArray(options.where) && options.where._isSequelizeMethod !== true) {
+    throw new Error('Expected plain object, array or sequelize method in the options.where parameter of model.destroy.');
+  }
+
   options = Utils._.extend({
   options = Utils._.extend({
     hooks: true,
     hooks: true,
     individualHooks: false,
     individualHooks: false,
@@ -2445,6 +2449,10 @@ Model.prototype.update = function(values, options) {
     throw new Error('Missing where attribute in the options parameter passed to update.');
     throw new Error('Missing where attribute in the options parameter passed to update.');
   }
   }
 
 
+  if (!_.isPlainObject(options.where) && !_.isArray(options.where) && options.where._isSequelizeMethod !== true) {
+    throw new Error('Expected plain object, array or sequelize method in the options.where parameter of model.update.');
+  }
+
   options = Utils._.extend({
   options = Utils._.extend({
     validate: true,
     validate: true,
     hooks: true,
     hooks: true,

test/unit/model/destroy.test.js

+'use strict';
+
+/* jshint -W030 */
+var chai = require('chai')
+  , expect = chai.expect
+  , Support = require(__dirname + '/../support')
+  , current = Support.sequelize
+  , sinon = require('sinon')
+  , Promise = current.Promise
+  , DataTypes = require('../../../lib/data-types')
+  , _ = require('lodash');
+
+describe(Support.getTestDialectTeaser('Model'), function() {
+
+  describe('method destroy', function () {
+    var User = current.define('User', {
+      name: DataTypes.STRING,
+      secretValue: DataTypes.INTEGER
+    });
+
+    before(function () {
+      this.stubDelete = sinon.stub(current.getQueryInterface(), 'bulkDelete', function () {
+        return Promise.resolve([]);
+      });
+    });
+
+    beforeEach(function () {
+      this.deloptions = {where: {secretValue: '1'}};
+      this.cloneOptions = _.clone(this.deloptions);
+      this.stubDelete.reset();
+    });
+
+    afterEach(function () {
+      delete this.deloptions;
+      delete this.cloneOptions;
+    });
+
+    after(function () {
+      this.stubDelete.restore();
+    });
+
+    it('properly clones options', function() {
+      var self = this;
+      return User.destroy(self.deloptions).bind(this).then(function(e) {
+        expect(self.deloptions).to.be.deep.eql(self.cloneOptions);
+      });
+    });
+
+    it('can detect complexe objects', function() {
+      var Where = function () { this.secretValue = '1'; };
+
+      expect(function () {
+        User.destroy({where: new Where()});
+      }).to.throw();
+
+    });
+  });
+});

test/unit/model/update.test.js

@@ -55,5 +55,14 @@ describe(Support.getTestDialectTeaser('Model'), function() {
       });
       });
     });
     });
 
 
+    it('can detect complexe objects', function() {
+      var self = this;
+      var Where = function () { this.secretValue = '1'; };
+
+      expect(function () {
+        User.update(self.updates, {where:new Where()});
+      }).to.throw();
+
+    });
   });
   });
 });
 });