feat(routes): PUT /session 403 if id role missing

hoodiehq · Nov 29, 2015 · 36f0049 · 36f0049
1 parent 08eaec9
commit 36f0049
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/utils/session/create.js b/utils/session/create.js
@@ -39,6 +39,11 @@ function createSession (options, callback) {
 
     var accountId = findIdInRoles(body.roles)
     var isAdmin = hasAdminRole(body.roles)
+
+    if (!isAdmin && !accountId) {
+      return callback(Boom.forbidden(('"id:..." role missing (https://github.com/hoodiehq/hoodie-server-account/blob/master/how-it-works.md#id-role)')))
+    }
+
     var session = {
       id: bearerToken,
       account: {