fixed sqlemu to return forbidden when table name contains "private" in its name

2014-01-28 12:04:10 +01:00 · 2014-01-28 12:04:10 +01:00 · bdea9f10fc
commit bdea9f10fc
parent dc3d36e0a5
1 changed files with 15 additions and 10 deletions
--- a/test/support/SQLAPIEmu.js
+++ b/test/support/SQLAPIEmu.js
@ -1,5 +1,6 @@
 var http        = require('http');
 var url         = require('url');
+var _ = require('underscore');

 var o = function(port, cb) {

@ -22,7 +23,6 @@ var o = function(port, cb) {
        req.on('end', function() {
          //console.log("Data is: "); console.dir(data);
          query = JSON.parse(data);
-          //console.log("Parsed is: "); console.dir(query);
          //console.log("handleQuery is " + that.handleQuery);
          that.handleQuery(query, res);
        });
@ -45,15 +45,20 @@ o.prototype.handleQuery = function(query, res) {
      };
      res.write(JSON.stringify({rows: [ row ]}));
    } else {
-      var qs = JSON.stringify(query);
-      var row = {
-        // This is the structure of the known query sent by tiler
-        'cdb_querytables': '{' + qs + '}',
-        'max': qs
-      };
-      var out_obj = {rows: [ row ]};
-      var out = JSON.stringify(out_obj);
-      res.write(out);
+      if ( query.q.match('_private_') && query.api_key === undefined) {
+        res.statusCode = 403;
+        res.write(JSON.stringify({'error':'forbidden: ' + JSON.stringify(query)}));
+      } else {
+        var qs = JSON.stringify(query);
+        var row = {
+          // This is the structure of the known query sent by tiler
+          'cdb_querytables': '{' + qs + '}',
+          'max': qs
+        };
+        var out_obj = {rows: [ row ]};
+        var out = JSON.stringify(out_obj);
+        res.write(out);
+      }
    }
    res.end();
  };