Lift no-query-ACL validation out of transformWhere

drew-gross · drew-gross · commit 559205bc64d4 · 2016-05-18T18:56:47.000-07:00
diff --git a/src/Adapters/Storage/Mongo/MongoStorageAdapter.js b/src/Adapters/Storage/Mongo/MongoStorageAdapter.js
@@ -184,6 +184,9 @@ export class MongoStorageAdapter {
   deleteObjectsByQuery(className, query, validate, schema) {
     return this.adaptiveCollection(className)
     .then(collection => {
+      if (query.ACL) {
+        throw new Parse.Error(Parse.Error.INVALID_QUERY, 'Cannot query on ACL.');
+      }
       let mongoWhere = transform.transformWhere(className, query, { validate }, schema);
       return collection.deleteMany(mongoWhere)
     })
diff --git a/src/Adapters/Storage/Mongo/MongoTransform.js b/src/Adapters/Storage/Mongo/MongoTransform.js
@@ -170,11 +170,17 @@ function transformQueryKeyValue(className, key, value, schema) {
     if (!(value instanceof Array)) {
       throw new Parse.Error(Parse.Error.INVALID_QUERY, 'bad $or format - use an array value');
     }
+    if (value.some(subQuery => subQuery.ACL)) {
+      throw new Parse.Error(Parse.Error.INVALID_QUERY, 'Cannot query on ACL.');
+    }
     return {key: '$or', value: value.map(subQuery => transformWhere(className, subQuery, {}, schema))};
   case '$and':
     if (!(value instanceof Array)) {
       throw new Parse.Error(Parse.Error.INVALID_QUERY, 'bad $and format - use an array value');
     }
+    if (value.some(subQuery => subQuery.ACL)) {
+      throw new Parse.Error(Parse.Error.INVALID_QUERY, 'Cannot query on ACL.');
+    }
     return {key: '$and', value: value.map(subQuery => transformWhere(className, subQuery, {}, schema))};
   default:
     // Other auth data
@@ -224,9 +230,6 @@ function transformQueryKeyValue(className, key, value, schema) {
 const specialQuerykeys = ['$and', '$or', '_rperm', '_wperm', '_perishable_token', '_email_verify_token'];
 function transformWhere(className, restWhere, { validate = true } = {}, schema) {
   let mongoWhere = {};
-  if (restWhere['ACL']) {
-    throw new Parse.Error(Parse.Error.INVALID_QUERY, 'Cannot query on ACL.');
-  }
   for (let restKey in restWhere) {
     if (validate && !specialQuerykeys.includes(restKey) && !restKey.match(/^[a-zA-Z][a-zA-Z0-9_\.]*$/)) {
       throw new Parse.Error(Parse.Error.INVALID_KEY_NAME, `Invalid key name: ${restKey}`);
diff --git a/src/Controllers/DatabaseController.js b/src/Controllers/DatabaseController.js
@@ -184,6 +184,9 @@ DatabaseController.prototype.update = function(className, query, update, {
         throw error;
       })
       .then(parseFormatSchema => {
+        if (query.ACL) {
+          throw new Parse.Error(Parse.Error.INVALID_QUERY, 'Cannot query on ACL.');
+        }
         var mongoWhere = this.transform.transformWhere(className, query, {validate: !this.skipValidation}, parseFormatSchema);
         mongoUpdate = this.transform.transformUpdate(
           schemaController,
@@ -668,6 +671,9 @@ DatabaseController.prototype.find = function(className, query, {
         if (!isMaster) {
           query = addReadACL(query, aclGroup);
         }
+        if (query.ACL) {
+          throw new Parse.Error(Parse.Error.INVALID_QUERY, 'Cannot query on ACL.');
+        }
         let mongoWhere = this.transform.transformWhere(className, query, {}, schema);
         if (count) {
           delete mongoOptions.limit;
