fix(server): additionally protect /api/users

BREAKING CHANGE: This adds additional authorization checks for the new user creation REST endpoint.
Your authsome modes have to be updated.

packages/components/model-user/src/api_users.js

@@ -56,9 +56,17 @@ const UsersAPI = app => {
   // Create a user
   app.post('/api/users', async (req, res, next) => {
     try {
-      let user = new User(req.body)
+      // TODO: Remove this in favor of checking in authsome
       if (req.body.admin) throw new ValidationError('invalid property: admin')
 
+      const properties = await applyPermissionFilter({
+        req,
+        target: req.route,
+        filterable: req.body,
+      })
+
+      let user = new User(properties)
+
       user = await user.save()
       res.status(STATUS.CREATED).json(user)
     } catch (err) {

packages/server/test/helpers/authsome_mode.js

@@ -77,6 +77,10 @@ function unauthenticatedUser(operation, object) {
     }
   }
 
+  if (operation === 'POST' && object && object.path === '/api/users') {
+    return true
+  }
+
   return false
 }