add schema validation for strings (don't allow arrays and literal objects)

Mick Hansen
Commit e43b9db1 authored Mar 11, 2014 by Mick Hansen
Showing with 84 additions and 22 deletions
lib/dao-validator.js
lib/utils.js
test/dao-factory/create.test.js
test/dao.validations.test.js
--- a/lib/dao-validator.js
+++ b/lib/dao-validator.js
@@ -2,6 +2,8 @@ var Validator = require("validator")
  , Utils     = require("./utils")
  , sequelizeError = require("./errors")
  , Promise = require("bluebird")
+  , DataTypes = require("./data-types")
+  , _ = require('lodash')
 function noop() {}
@@ -288,8 +290,7 @@ DaoValidator.prototype._builtinAttrValidate = function(value, field) {
 * @return {Promise} A promise.
 * @private
 */
-DaoValidator.prototype._invokeCustomValidator = Promise.method(function(validator, validatorType,
+DaoValidator.prototype._invokeCustomValidator = Promise.method(function(validator, validatorType, optAttrDefined, optValue, optField) {
-  optAttrDefined, optValue, optField) {
  var validatorFunction = null  // the validation function to call
  var isAsync = false
@@ -333,8 +334,7 @@ DaoValidator.prototype._invokeCustomValidator = Promise.method(function(validato
 * @return {Object} An object with specific keys to invoke the validator.
 * @private
 */
-DaoValidator.prototype._invokeBuiltinValidator = Promise.method(function(value,
+DaoValidator.prototype._invokeBuiltinValidator = Promise.method(function(value, test, validatorType, field) {
-  test, validatorType, field) {
  // check if Validator knows that kind of validation test
  if (typeof Validator[validatorType] !== 'function') {
@@ -368,12 +368,11 @@ DaoValidator.prototype._invokeBuiltinValidator = Promise.method(function(value,
 * @param {*} value anything.
 * @private
 */
-DaoValidator.prototype._validateSchema = function(rawAttribute,
+DaoValidator.prototype._validateSchema = function(rawAttribute, field, value) {
-  field, value) {
+  var error
-  if (rawAttribute.allowNull === false && ((value === null) ||
+  if (rawAttribute.allowNull === false && ((value === null) || (value === undefined))) {
-    (value === undefined))) {
+    error = new sequelizeError.ValidationError(field + ' cannot be null')
-    var error = new sequelizeError.ValidationError(field + ' cannot be null')
    error.path = field
    error.value = value
    error.type = error.message = 'notNull Violation'
@@ -382,6 +381,19 @@ DaoValidator.prototype._validateSchema = function(rawAttribute,
    }
    this.errors[field].push(error);
  }
+  if (rawAttribute.type === DataTypes.STRING) {
+    if (Array.isArray(value) || (_.isObject(value) && !value._isSequelizeMethod)) {
+      error = new sequelizeError.ValidationError(field + ' cannot be an array or an object')
+      error.path = field
+      error.value = value
+      error.type = error.message = 'string violation'
+      if (!this.errors.hasOwnProperty(field)) {
+        this.errors[field] = [];
+      }
+      this.errors[field].push(error);
+    }
+  }
 };

--- a/lib/utils.js
+++ b/lib/utils.js
@@ -560,6 +560,12 @@ var Utils = module.exports = {
 Utils.condition = Utils.where
+Utils.where.prototype._isSequelizeMethod = 
+Utils.literal.prototype._isSequelizeMethod = 
+Utils.cast.prototype._isSequelizeMethod = 
+Utils.fn.prototype._isSequelizeMethod = 
+Utils.col.prototype._isSequelizeMethod = true
 // I know this may seem silly, but this gives us the ability to recognize whether
 // or not we should be escaping or if we should trust the user. Basically, it
 // keeps things in perspective and organized.

--- a/test/dao-factory/create.test.js
+++ b/test/dao-factory/create.test.js
@@ -130,7 +130,7 @@ describe(Support.getTestDialectTeaser("DAOFactory"), function () {
  })
  describe('create', function() {
-    it('works with non-integer primary keys', function (done) {
+    it('works with non-integer primary keys with a default value', function (done) {
      var User = this.sequelize.define('User', {
        'id': {
          primaryKey: true,
@@ -297,9 +297,12 @@ describe(Support.getTestDialectTeaser("DAOFactory"), function () {
          }
        })
-        userWithDefaults.sync({force: true}).success(function () {
+        userWithDefaults.sync({force: true}).done(function (err) {
-          userWithDefaults.create({}).success(function (user) {
+          expect(err).not.to.be.ok
-            userWithDefaults.find(user.id).success(function (user) {
+          userWithDefaults.create({}).done(function (err, user) {
+            expect(err).not.to.be.ok
+            userWithDefaults.find(user.id).done(function (err, user) {
+              expect(err).not.to.be.ok
              var now = new Date()
                , pad = function (number) {
                  if (number > 9) {

--- a/test/dao.validations.test.js
+++ b/test/dao.validations.test.js
@@ -162,10 +162,6 @@ describe(Support.getTestDialectTeaser("DaoValidator"), function() {
        fail: "22",
        pass: "23"
      }
-    // , isArray: {
-    //     fail: 22,
-    //     pass: [22]
-    //   }
    , isCreditCard: {
        fail: "401288888888188f",
        pass: "4012888888881881"
@@ -196,7 +192,7 @@ describe(Support.getTestDialectTeaser("DaoValidator"), function() {
          var failingUser = UserFail.build({ name : failingValue })
          failingUser.validate().done( function(err, _errors) {
-            expect(_errors).to.not.be.null
+            expect(_errors).not.to.be.null
            expect(_errors).to.be.an.instanceOf(Error)
            expect(_errors.name[0].message).to.equal(message)
            done()
@@ -239,8 +235,8 @@ describe(Support.getTestDialectTeaser("DaoValidator"), function() {
        var validatorDetails = checks[validator]
        if (!validatorDetails.hasOwnProperty("raw")) {
-          validatorDetails.fail = [ validatorDetails.fail ]
+          validatorDetails.fail = Array.isArray(validatorDetails.fail) ? validatorDetails.fail : [ validatorDetails.fail ]
-          validatorDetails.pass = [ validatorDetails.pass ]
+          validatorDetails.pass = Array.isArray(validatorDetails.pass) ? validatorDetails.pass : [ validatorDetails.pass ]
        }
        for (var i = 0; i < validatorDetails.fail.length; i++) {
@@ -758,8 +754,53 @@ describe(Support.getTestDialectTeaser("DaoValidator"), function() {
      expect(user.getDataValue('name')).to.equal('RedCat')
      user.setDataValue('name','YellowCat')
-      user.validate().done(function(errors){
+      user.validate().success(function(errors) {
-        expect(errors).to.be.null
+        expect(errors).not.to.be.ok
+        done()
+      })
+    })
+    it('raises an error for array on a STRING', function (done) {
+      var User = this.sequelize.define('User', {
+        'email': {
+          type: Sequelize.STRING
+        }
+      })
+      User.build({
+        email: ['iama', 'dummy.com']
+      }).validate().success(function (errors) {
+        expect(errors.email[0]).to.be.an.instanceof(Sequelize.ValidationError)
+        done()
+      })
+    })
+    it('raises an error for {} on a STRING', function (done) {
+      var User = this.sequelize.define('User', {
+        'email': {
+          type: Sequelize.STRING
+        }
+      })
+      User.build({
+        email: {lol: true}
+      }).validate().success(function (errors) {
+        expect(errors.email[0]).to.be.an.instanceof(Sequelize.ValidationError)
+        done()
+      })
+    })
+    it('does not raise an error for null on a STRING (where null is allowed)', function (done) {
+      var User = this.sequelize.define('User', {
+        'email': {
+          type: Sequelize.STRING
+        }
+      })
+      User.build({
+        email: null
+      }).validate().success(function (errors) {
+        expect(errors).not.to.be.ok
        done()
      })
    })