Allow `Parse.Query.includeAll` when `maxIncludeQueryComplexity` is set

[mtrezza]

New Feature / Enhancement Checklist

• Report security issues confidentially.
• Any contribution is under this license.
• Before posting search existing issues.

Current Limitation

#9920 was merged with the understanding that its limitation of disabling the feature of Parse.Query.includeAll when maxIncludeQueryComplexity is set is an unnecessary restriction.

Since maxIncludeQueryComplexity is a security feature, which is considered to be enabled by default, it equates to removing the practical usability of the Parse.Query.includeAll feature.

Feature / Enhancement Description

Allow Parse.Query.includeAll when maxIncludeQueryComplexity is set.

The restriction for includeAll should rather be:

• if max depth < 1 AND includeAll is used AND the schema contains a pointer field -> deny with invalid query

Or simpler, because why would someone use includeAll on a schema without pointers:

• if max depth < 1 and includeAll is used -> deny with invalid query

The option also adds a field count limit, so when using includeAll on a class with n pointer fields, and the count limit is < n then there should also be an invalid query response. This may be easy to implement as the schema is known and we can compare the pointer field count early in the process.

See discussion in #9920 (comment).

Alternatives / Workarounds

Refactor developer app code to not use Parse.Query.includeAll.

[parse-github-assistant]

🚀 Thanks for opening this issue! We are excited about your ideas for improvement!