Is there a concept of "protected" fields in findByIdAndUpdate?

Question

Lets say I have a few fields that I don't want modified. In my case my users can utilize a PATCH request which invokes this method:

Ad.findByIdAndUpdate(req.params.id, req.body, {new: true})

Technically I can "manually" filter the "req.body" object and remove everything that should not be updated even if they specifically send those fields in the request, but is there a better way, perhaps, adding a "protected" flag in the relevant schema something like this:

title: {
    type: String,
    required: true,
    protected: true
}

Check out [this thread](https://stackoverflow.com/questions/11436071/does-mongoose-provide-access-to-previous-value-of-property-in-presave) that could solve your problem. — Adam, Sep 24 '18 at 04:49
What does `protected` signifies? How are you setting the initial value? — Akrion, Sep 24 '18 at 05:15
To achieve a `protected` type feature for some fields, you can try custom setters for the schema fields. — Shivam Pandey, Sep 24 '18 at 05:43
You can create a middleware function and that will pass only validated data to next middleware. — Aabid, Sep 24 '18 at 06:23

score 0 · Answer 1 · answered Sep 24 '18 at 06:46

Some concerns:

Wouldn't you validate user's input and throw on errors? Is it still a correct request, if the user sends arbitrary data?
If you don't validate, how do you sanitize?
If you don't validate, why don't you filter the request?

I'd strongly recommend doing validation (e.g. with some json-schema-library) and perform sanitization on the values afterwards. On top of that, you can use Monogram to disallow having some properties being updated. In this case, a request with unexpected params in the payload, would throw and return some error (e.g. BAD REQUEST)

Is there a concept of "protected" fields in findByIdAndUpdate?

1 Answers1