diff options
| author | Chirayu Krishnappa | 2013-11-08 20:44:32 -0800 |
|---|---|---|
| committer | Chirayu Krishnappa | 2013-11-11 16:17:34 -0800 |
| commit | 9577702e8d2519c1a60f5ac4058e63bd7b919815 (patch) | |
| tree | 69a063c50e1b575a77d86abec1587a74d07cc3fd /src/ngResource/resource.js | |
| parent | a61b65d01b468502fe53d68818949d3fcc9f20f6 (diff) | |
| download | angular.js-9577702e8d2519c1a60f5ac4058e63bd7b919815.tar.bz2 | |
fix($resource): don't use $parse for @dotted.member
params and paramDefaults support looking up the parameter value from the
data object. The syntax for that is `@nested.property.name`.
Currently, $resource uses $parse to do this. This is too liberal
(you can use values like `@a=b` or `@a | filter` and have it work -
which doesn't really make sense). It also puts up a dependency on
$parse which is has restrictions to secure expressions used in
templates. The value here, though a string, is specified in Javascript
code and shouldn't have those restrictions.
Diffstat (limited to 'src/ngResource/resource.js')
| -rw-r--r-- | src/ngResource/resource.js | 32 |
1 files changed, 26 insertions, 6 deletions
diff --git a/src/ngResource/resource.js b/src/ngResource/resource.js index 56d32f5e..f2e7ff62 100644 --- a/src/ngResource/resource.js +++ b/src/ngResource/resource.js @@ -2,6 +2,28 @@ var $resourceMinErr = angular.$$minErr('$resource'); +// Helper functions and regex to lookup a dotted path on an object +// stopping at undefined/null. The path must be composed of ASCII +// identifiers (just like $parse) +var MEMBER_NAME_REGEX = /^(\.[a-zA-Z_$][0-9a-zA-Z_$]*)+$/; + +function isValidDottedPath(path) { + return (path != null && path !== '' && path !== 'hasOwnProperty' && + MEMBER_NAME_REGEX.test('.' + path)); +} + +function lookupDottedPath(obj, path) { + if (!isValidDottedPath(path)) { + throw $resourceMinErr('badmember', 'Dotted member path "@{0}" is invalid.', path); + } + var keys = path.split('.'); + for (var i = 0, ii = keys.length; i < ii && obj !== undefined; i++) { + var key = keys[i]; + obj = (obj !== null) ? obj[key] : undefined; + } + return obj; +} + /** * @ngdoc overview * @name ngResource @@ -285,7 +307,8 @@ var $resourceMinErr = angular.$$minErr('$resource'); </doc:example> */ angular.module('ngResource', ['ng']). - factory('$resource', ['$http', '$parse', '$q', function($http, $parse, $q) { + factory('$resource', ['$http', '$q', function($http, $q) { + var DEFAULT_ACTIONS = { 'get': {method:'GET'}, 'save': {method:'POST'}, @@ -297,10 +320,7 @@ angular.module('ngResource', ['ng']). forEach = angular.forEach, extend = angular.extend, copy = angular.copy, - isFunction = angular.isFunction, - getter = function(obj, path) { - return $parse(path)(obj); - }; + isFunction = angular.isFunction; /** * We need our custom method because encodeURIComponent is too aggressive and doesn't follow @@ -415,7 +435,7 @@ angular.module('ngResource', ['ng']). forEach(actionParams, function(value, key){ if (isFunction(value)) { value = value(); } ids[key] = value && value.charAt && value.charAt(0) == '@' ? - getter(data, value.substr(1)) : value; + lookupDottedPath(data, value.substr(1)) : value; }); return ids; } |