Skip to content

Commit b343de0

Browse files
awgeorgeacinader
awgeorge
authored and
acinader
committed
Set default protectedFields and remove previous filter logic
1 parent 95831a5 commit b343de0

File tree

8 files changed

+91
-14
lines changed

8 files changed

+91
-14
lines changed

spec/MongoSchemaCollectionAdapter.spec.js

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,7 @@ describe('MongoSchemaCollection', () => {
2323
create: { '*': true },
2424
delete: { '*': true },
2525
addField: { '*': true },
26+
protectedFields: { '*': [] },
2627
},
2728
indexes: {
2829
name1: { deviceToken: 1 },
@@ -72,6 +73,7 @@ describe('MongoSchemaCollection', () => {
7273
update: { '*': true },
7374
delete: { '*': true },
7475
addField: { '*': true },
76+
protectedFields: { '*': [] },
7577
},
7678
indexes: {
7779
name1: { deviceToken: 1 },

spec/ParseLiveQueryServer.spec.js

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -257,6 +257,7 @@ describe('ParseLiveQueryServer', function() {
257257
find: {},
258258
update: {},
259259
delete: { '*': true },
260+
protectedFields: {},
260261
});
261262

262263
expect(deleteSpy).toHaveBeenCalled();
@@ -270,6 +271,7 @@ describe('ParseLiveQueryServer', function() {
270271
find: {},
271272
update: {},
272273
delete: { '*': true },
274+
protectedFields: {},
273275
});
274276
done();
275277
})
@@ -1920,6 +1922,7 @@ describe('LiveQueryController', () => {
19201922
find: {},
19211923
update: {},
19221924
delete: { '*': true },
1925+
protectedFields: {},
19231926
});
19241927

19251928
expect(deleteSpy).toHaveBeenCalled();
@@ -1933,6 +1936,7 @@ describe('LiveQueryController', () => {
19331936
find: {},
19341937
update: {},
19351938
delete: { '*': true },
1939+
protectedFields: {},
19361940
});
19371941
done();
19381942
})

spec/Schema.spec.js

Lines changed: 70 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -320,6 +320,7 @@ describe('SchemaController', () => {
320320
update: { '*': true },
321321
delete: { '*': true },
322322
addField: { '*': true },
323+
protectedFields: { '*': [] },
323324
},
324325
};
325326
expect(dd(actualSchema, expectedSchema)).toEqual(undefined);
@@ -338,6 +339,7 @@ describe('SchemaController', () => {
338339
update: { '*': true },
339340
delete: { '*': true },
340341
addField: { '*': true },
342+
protectedFields: { '*': [] },
341343
};
342344
config.database.loadSchema().then(schema => {
343345
schema
@@ -461,6 +463,7 @@ describe('SchemaController', () => {
461463
update: { '*': true },
462464
delete: { '*': true },
463465
addField: { '*': true },
466+
protectedFields: { '*': [] },
464467
},
465468
};
466469
expect(dd(actualSchema, expectedSchema)).toEqual(undefined);
@@ -653,6 +656,68 @@ describe('SchemaController', () => {
653656
});
654657
});
655658

659+
it('refuses to add CLP with incorrect find', done => {
660+
const levelPermissions = {
661+
find: { '*': false },
662+
get: { '*': true },
663+
create: { '*': true },
664+
update: { '*': true },
665+
delete: { '*': true },
666+
addField: { '*': true },
667+
protectedFields: { '*': ['email'] },
668+
};
669+
config.database.loadSchema().then(schema => {
670+
schema
671+
.validateObject('NewClass', {})
672+
.then(() => schema.reloadData())
673+
.then(() =>
674+
schema.updateClass(
675+
'NewClass',
676+
{},
677+
levelPermissions,
678+
{},
679+
config.database
680+
)
681+
)
682+
.then(done.fail)
683+
.catch(error => {
684+
expect(error.code).toEqual(Parse.Error.INVALID_JSON);
685+
done();
686+
});
687+
});
688+
});
689+
690+
it('refuses to add CLP with incorrect protectedFields', done => {
691+
const levelPermissions = {
692+
find: { '*': true },
693+
get: { '*': true },
694+
create: { '*': true },
695+
update: { '*': true },
696+
delete: { '*': true },
697+
addField: { '*': true },
698+
protectedFields: { '*': 'email' },
699+
};
700+
config.database.loadSchema().then(schema => {
701+
schema
702+
.validateObject('NewClass', {})
703+
.then(() => schema.reloadData())
704+
.then(() =>
705+
schema.updateClass(
706+
'NewClass',
707+
{},
708+
levelPermissions,
709+
{},
710+
config.database
711+
)
712+
)
713+
.then(done.fail)
714+
.catch(error => {
715+
expect(error.code).toEqual(Parse.Error.INVALID_JSON);
716+
done();
717+
});
718+
});
719+
});
720+
656721
it('will create classes', done => {
657722
config.database
658723
.loadSchema()
@@ -706,6 +771,7 @@ describe('SchemaController', () => {
706771
update: { '*': true },
707772
delete: { '*': true },
708773
addField: { '*': true },
774+
protectedFields: { '*': [] },
709775
},
710776
};
711777
expect(dd(actualSchema, expectedSchema)).toEqual(undefined);
@@ -751,6 +817,7 @@ describe('SchemaController', () => {
751817
update: { '*': true },
752818
delete: { '*': true },
753819
addField: { '*': true },
820+
protectedFields: { '*': [] },
754821
},
755822
};
756823
expect(dd(actualSchema, expectedSchema)).toEqual(undefined);
@@ -782,6 +849,7 @@ describe('SchemaController', () => {
782849
update: { '*': true },
783850
delete: { '*': true },
784851
addField: { '*': true },
852+
protectedFields: { '*': [] },
785853
},
786854
};
787855
expect(dd(actualSchema, expectedSchema)).toEqual(undefined);
@@ -815,6 +883,7 @@ describe('SchemaController', () => {
815883
update: { '*': true },
816884
delete: { '*': true },
817885
addField: { '*': true },
886+
protectedFields: { '*': [] },
818887
},
819888
};
820889
expect(dd(actualSchema, expectedSchema)).toEqual(undefined);
@@ -1002,6 +1071,7 @@ describe('SchemaController', () => {
10021071
update: { '*': true },
10031072
delete: { '*': true },
10041073
addField: { '*': true },
1074+
protectedFields: { '*': [] },
10051075
},
10061076
};
10071077
expect(dd(actualSchema, expectedSchema)).toEqual(undefined);

spec/schemas.spec.js

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -45,6 +45,9 @@ const defaultClassLevelPermissions = {
4545
delete: {
4646
'*': true,
4747
},
48+
protectedFields: {
49+
'*': [],
50+
},
4851
};
4952

5053
const plainOldDataSchema = {
@@ -1141,6 +1144,7 @@ describe('schemas', () => {
11411144
update: {},
11421145
delete: {},
11431146
addField: {},
1147+
protectedFields: {},
11441148
});
11451149
done();
11461150
});
@@ -2037,6 +2041,7 @@ describe('schemas', () => {
20372041
update: {},
20382042
delete: {},
20392043
addField: {},
2044+
protectedFields: {},
20402045
});
20412046
})
20422047
.then(done)

src/Adapters/Storage/Mongo/MongoSchemaCollection.js

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -62,6 +62,7 @@ const emptyCLPS = Object.freeze({
6262
update: {},
6363
delete: {},
6464
addField: {},
65+
protectedFields: {},
6566
});
6667

6768
const defaultCLPS = Object.freeze({
@@ -71,6 +72,7 @@ const defaultCLPS = Object.freeze({
7172
update: { '*': true },
7273
delete: { '*': true },
7374
addField: { '*': true },
75+
protectedFields: { '*': [] },
7476
});
7577

7678
function mongoSchemaToParseSchema(mongoSchema) {

src/Adapters/Storage/Postgres/PostgresStorageAdapter.js

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -106,6 +106,7 @@ const emptyCLPS = Object.freeze({
106106
update: {},
107107
delete: {},
108108
addField: {},
109+
protectedFields: {},
109110
});
110111

111112
const defaultCLPS = Object.freeze({
@@ -115,6 +116,7 @@ const defaultCLPS = Object.freeze({
115116
update: { '*': true },
116117
delete: { '*': true },
117118
addField: { '*': true },
119+
protectedFields: { '*': [] },
118120
});
119121

120122
const toParseSchema = schema => {

src/Controllers/SchemaController.js

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -203,6 +203,7 @@ const CLPValidKeys = Object.freeze([
203203
'addField',
204204
'readUserFields',
205205
'writeUserFields',
206+
'protectedFields',
206207
]);
207208
function validateCLP(perms: ClassLevelPermissions, fields: SchemaFields) {
208209
if (!perms) {
@@ -250,7 +251,10 @@ function validateCLP(perms: ClassLevelPermissions, fields: SchemaFields) {
250251
verifyPermissionKey(key);
251252
// @flow-disable-next
252253
const perm = perms[operation][key];
253-
if (perm !== true) {
254+
if (
255+
perm !== true &&
256+
(operation !== 'protectedFields' || !Array.isArray(perm))
257+
) {
254258
// @flow-disable-next
255259
throw new Parse.Error(
256260
Parse.Error.INVALID_JSON,

src/RestQuery.js

Lines changed: 1 addition & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -565,19 +565,8 @@ RestQuery.prototype.replaceDontSelect = function() {
565565
});
566566
};
567567

568-
const cleanResultOfSensitiveUserInfo = function(result, auth, config) {
569-
delete result.password;
570-
571-
if (auth.isMaster || (auth.user && auth.user.id === result.objectId)) {
572-
return;
573-
}
574-
575-
for (const field of config.userSensitiveFields) {
576-
delete result[field];
577-
}
578-
};
579-
580568
const cleanResultAuthData = function(result) {
569+
delete result.password;
581570
if (result.authData) {
582571
Object.keys(result.authData).forEach(provider => {
583572
if (result.authData[provider] === null) {
@@ -645,7 +634,6 @@ RestQuery.prototype.runFind = function(options = {}) {
645634
.then(results => {
646635
if (this.className === '_User') {
647636
for (var result of results) {
648-
cleanResultOfSensitiveUserInfo(result, this.auth, this.config);
649637
cleanResultAuthData(result);
650638
}
651639
}

0 commit comments

Comments
 (0)