Fixing issue with DELETE and PUT METHOD were working without any params.id

lib/handlers.js

@@ -82,6 +82,11 @@ exports.post = function(req, res, next) {
 };
 
 exports.put = function(req, res, next) {
+  //before PUT atleast check if params.id is there or not
+  if ((!req.params.id || !mongoose.Types.ObjectId.isValid(req.params.id)) && this.isSecureDelete) {
+        exports.respond(res, 400, exports.badRequest());
+        return next();
+  }
   // Remove immutable ObjectId from update attributes to prevent request failure
   if (req.body._id && req.body._id === req.params.id) {
     delete req.body._id;
@@ -121,6 +126,13 @@ exports.put = function(req, res, next) {
 };
 
 exports.delete = function(req, res, next) {
+    //before delete atleast check if params.id is there or not. Or it will deleting entire model
+    //if you want to allow it you can set in in the model isSecureDelete=false
+    if ((!req.params.id || !mongoose.Types.ObjectId.isValid(req.params.id)) && this.isSecureDelete) {
+        exports.respond(res, 400, exports.badRequest());
+        return next();
+    }
+
   // Delete in 1 atomic operation on the database if not specified otherwise
   if (this.shouldUseAtomicUpdate) {
     req.quer.findOneAndRemove({}, this.delete_options, function(err, obj) {

lib/model.js

@@ -56,7 +56,8 @@ var methods = ['get', 'post', 'put', 'delete'], // All HTTP methods, PATCH not c
       remove_options: {},
       templateRoot: '',
       shouldIncludeSchema: true,
-      shouldUseAtomicUpdate: true
+      shouldUseAtomicUpdate: true,
+      isSecureDelete:true
     };
   };