Giters

mblarsen / mongoose-hidden

A Mongoose schema plugin for filtering properties you usually do not want to sent client-side like passwords and IDs.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Doesn't work for non-schema fields

bisubus opened this issue · comments

commented

Some of the documents have got __t discriminator field (likely a legacy value, because contains a reference to a model that doesn't exist anymore). Some have got createdAt and updatedAt fields, while a schema currently doesn't have enabled timestamps option.

For described model { defaultHidden: { custom: true, __t: true, createdAt: true, updatedAt: true, __v: true }} results in debugger output:

mongoose-hidden Object: hiding "custom" +0ms
mongoose-hidden Object: copy "_id" +1ms
mongoose-hidden Object: hiding "__v" +1ms
mongoose-hidden Object: copy "createdAt" +1ms
mongoose-hidden Object: copy "updatedAt" +0ms
mongoose-hidden Object: copy "__t" +1ms

And respective JSON output:

    _id: ...,
    createdAt: ...,
    updatedAt: ...,
    __t: 'NonExisting' },

When timestamps option is enabled for the schema, createdAt and updatedAt are removed by the plugin, but __t is still there.

commented

Could you post the schema and options for this setup?

commented

My older documents look like

{
   "_id": ObjectId("..."),
   "createdAt": ISODate("..."),
   "updatedAt": ISODate("..."),
   "__t": "NonExisting",
   "__v": NumberInt(0) 
}

And I guess older schema was something like (not sure about linked part but I believe that there was something like that and this could explain why __t exists in older documents)

var schema = new Schema({
  linked : {
    type: Schema.Types.ObjectId,
    ref: 'NonExisting'
  }
});
schema.set('timestamps', true);

While newer schema has no timestamps or mention of NonExisting, something like

var schema = new Schema({ custom: String });
schema.plugin(mongooseHidden, { defaultHidden: {
  custom: true, __t: true, createdAt: true, updatedAt: true, __v: true
}} );

This results in __t, createdAt, updatedAt leaking to JSON output when they aren't additionally filtered out with select(...).

Maybe fields that was removed from the schema don't necessarily have to covered by this plugin (I have to do select(Object.keys(model.schema.paths).join(' ')) everywhere where I don't want non-schema fields, not sure if there is a plugin that does that automatically).

But __t looks like a special case, because it seems to be internal but cannot be filtered out in the same way as __v.

commented

I think it can be handled by the plugin. Working it into #12 (comment)

commented

@bisubus did you get to try out this yet?