Skip to content

Commit 6b0efae

Browse files
BufferUnderflowerBufferUnderflower
authored
Do not allow to protect default fields (#6439)
* consider default columns * disallow protecting default fields
1 parent 4291f2b commit 6b0efae

File tree

2 files changed

+28
-3
lines changed

2 files changed

+28
-3
lines changed

spec/ProtectedFields.spec.js

Lines changed: 21 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -777,7 +777,7 @@ describe('ProtectedFields', function() {
777777
object.set('revision', 0);
778778
object.set('test', 'test');
779779

780-
await object.save({ useMasterKey: true });
780+
await object.save(null, { useMasterKey: true });
781781
}
782782

783783
beforeEach(async () => {
@@ -812,6 +812,24 @@ describe('ProtectedFields', function() {
812812
})
813813
).toBeResolved();
814814
});
815+
816+
it('should not allow protecting default fields', async () => {
817+
const defaultFields = ['objectId', 'createdAt', 'updatedAt', 'ACL'];
818+
for (const field of defaultFields) {
819+
await expectAsync(
820+
updateCLP({
821+
protectedFields: {
822+
'*': [field],
823+
},
824+
})
825+
).toBeRejectedWith(
826+
new Parse.Error(
827+
Parse.Error.INVALID_JSON,
828+
`Default field '${field}' can not be protected`
829+
)
830+
);
831+
}
832+
});
815833
});
816834

817835
describe('targeting public access', () => {
@@ -1310,10 +1328,10 @@ describe('ProtectedFields', function() {
13101328

13111329
// admin supersets moder role
13121330
moder.relation('roles').add(admin);
1313-
await moder.save({ useMasterKey: true });
1331+
await moder.save(null, { useMasterKey: true });
13141332

13151333
tester.relation('roles').add(moder);
1316-
await tester.save({ useMasterKey: true });
1334+
await tester.save(null, { useMasterKey: true });
13171335

13181336
const roleAdmin = `role:${admin.get('name')}`;
13191337
const roleModer = `role:${moder.get('name')}`;

src/Controllers/SchemaController.js

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -307,6 +307,13 @@ function validateCLP(
307307

308308
// if the field is in form of array
309309
for (const field of protectedFields) {
310+
// do not alloow to protect default fields
311+
if (defaultColumns._Default[field]) {
312+
throw new Parse.Error(
313+
Parse.Error.INVALID_JSON,
314+
`Default field '${field}' can not be protected`
315+
);
316+
}
310317
// field should exist on collection
311318
if (!Object.prototype.hasOwnProperty.call(fields, field)) {
312319
throw new Parse.Error(

0 commit comments

Comments
 (0)