From 2d59de1b706a2b8ce27a8eb10f54eb1fd9463740 Mon Sep 17 00:00:00 2001 From: Sandro Santilli Date: Mon, 17 Sep 2012 11:11:10 +0200 Subject: [PATCH 1/3] Add a couple of additional tests about forbidden INSERT attempts. These are: - NO api key used - INSERT in public table Both tests are already passing --- test/acceptance/app.auth.test.js | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/test/acceptance/app.auth.test.js b/test/acceptance/app.auth.test.js index c89746b3..49dbc627 100644 --- a/test/acceptance/app.auth.test.js +++ b/test/acceptance/app.auth.test.js @@ -45,4 +45,28 @@ test('invalid api key (old redis location) should NOT allow insert in protected }, function() { done(); }); }); +test('no api key should NOT allow insert in protected tables', function(done){ + assert.response(app, { + // view prepare_db.sh to see where to set api_key + url: "/api/v1/sql?q=INSERT%20INTO%20private_table%20(name)%20VALUES%20('RAMBO')", + + headers: {host: 'vizzuality.cartodb.com' }, + method: 'GET' + },{ + status: 400 + }, function() { done(); }); +}); + +test('no api key should NOT allow insert in public tables', function(done){ + assert.response(app, { + // view prepare_db.sh to find public table name and structure + url: "/api/v1/sql?q=INSERT%20INTO%20untitle_table_4%20(name)%20VALUES%20('RAMBO')", + + headers: {host: 'vizzuality.cartodb.com' }, + method: 'GET' + },{ + status: 400 + }, function() { done(); }); +}); + }); From 8b824801cff96146cf40a194223b052170fa8ad1 Mon Sep 17 00:00:00 2001 From: Sandro Santilli Date: Mon, 17 Sep 2012 11:50:19 +0200 Subject: [PATCH 2/3] Fix INSERT and UPDATE with RETURNING clause. Closes #50 Includes regression test --- app/controllers/app.js | 9 ++----- test/acceptance/app.test.js | 54 +++++++++++++++++++++++++++++++++++-- 2 files changed, 54 insertions(+), 9 deletions(-) diff --git a/app/controllers/app.js b/app/controllers/app.js index 4893bfe9..e87172b0 100755 --- a/app/controllers/app.js +++ b/app/controllers/app.js @@ -160,14 +160,9 @@ function handleQuery(req, res) { var end = new Date().getTime(); var json_result = {'time' : (end - start)/1000}; - - if (result.command === 'SELECT') { - json_result.total_rows = result.rows.length; - json_result.rows = result.rows; - } else { json_result.total_rows = result.rowCount; - } - + json_result.rows = result.rows; + return json_result; } }, diff --git a/test/acceptance/app.test.js b/test/acceptance/app.test.js index 90aee4de..373dcc69 100644 --- a/test/acceptance/app.test.js +++ b/test/acceptance/app.test.js @@ -16,8 +16,8 @@ require('../support/assert'); var app = require(global.settings.app_root + '/app/controllers/app') , assert = require('assert') - , tests = module.exports = {} - , querystring = require('querystring'); + , querystring = require('querystring') + , _ = require('underscore'); // allow lots of emitters to be set to silence warning app.setMaxListeners(0); @@ -111,6 +111,56 @@ test('GET /api/v1/sql with SQL parameter on INSERT only. header based db - shoul }); }); +// Check results from INSERT .. RETURNING +// +// See https://github.com/Vizzuality/CartoDB-SQL-API/issues/50 +test('INSERT with RETURNING returns all results', function(done){ + assert.response(app, { + // view prepare_db.sh to see where to set api_key + url: "/api/v1/sql?api_key=1234&" + + querystring.stringify({q: + "INSERT INTO private_table(name) VALUES('test') RETURNING upper(name), reverse(name)" + }), + headers: {host: 'vizzuality.localhost.lan:8080' }, + method: 'GET' + },{}, function(res) { + assert.equal(res.statusCode, 200, res.statusCode + ': ' + res.body); + var out = JSON.parse(res.body); + assert.ok(out.hasOwnProperty('time')); + assert.equal(out.total_rows, 1); + assert.equal(out.rows.length, 1); + assert.equal(_.keys(out.rows[0]).length, 2); + assert.equal(out.rows[0].upper, 'TEST'); + assert.equal(out.rows[0].reverse, 'tset'); + done(); + }); +}); + +// Check results from UPDATE .. RETURNING +// +// See https://github.com/Vizzuality/CartoDB-SQL-API/issues/50 +test('UPDATE with RETURNING returns all results', function(done){ + assert.response(app, { + // view prepare_db.sh to see where to set api_key + url: "/api/v1/sql?api_key=1234&" + + querystring.stringify({q: + "UPDATE private_table SET name = 'tost' WHERE name = 'test' RETURNING upper(name), reverse(name)" + }), + headers: {host: 'vizzuality.localhost.lan:8080' }, + method: 'GET' + },{}, function(res) { + assert.equal(res.statusCode, 200, res.statusCode + ': ' + res.body); + var out = JSON.parse(res.body); + assert.ok(out.hasOwnProperty('time')); + assert.equal(out.total_rows, 1); + assert.equal(out.rows.length, 1); + assert.equal(_.keys(out.rows[0]).length, 2); + assert.equal(out.rows[0].upper, 'TOST'); + assert.equal(out.rows[0].reverse, 'tsot'); + done(); + }); +}); + test('GET /api/v1/sql with SQL parameter on DROP DATABASE only.header based db - should fail', function(){ assert.response(app, { url: "/api/v1/sql?q=DROP%20TABLE%20untitle_table_4", From f05f18e552700ef3ac4885b2e6f67533843e260e Mon Sep 17 00:00:00 2001 From: Luis Bosque Date: Tue, 18 Sep 2012 17:04:29 +0200 Subject: [PATCH 3/3] added NEWS.md --- NEWS.md | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 NEWS.md diff --git a/NEWS.md b/NEWS.md new file mode 100644 index 00000000..e9daaea1 --- /dev/null +++ b/NEWS.md @@ -0,0 +1,3 @@ +0.9.0 (18/09/12) +----- +* Fix INSERT and UPDATE with RETURNING clause