Fix/issue pointer permissions (#4141)

* Makes sure we don't override roles * Reduces the query size whith pointer permissions - Does not return as $and if not needed - Returns just the query with the additional constraint * Do not use $in if include is just of length 1
2017-09-09 14:02:07 -04:00
parent 019f9e55e1
commit 0f840b6bb8
4 changed files with 57 additions and 4 deletions
--- a/spec/PointerPermissions.spec.js
+++ b/spec/PointerPermissions.spec.js
@@ -171,6 +171,47 @@ describe('Pointer Permissions', () => {
    })
  });

+  it('should query on pointer permission enabled column', (done) => {
+    const config = new Config(Parse.applicationId);
+    const user = new Parse.User();
+    const user2 = new Parse.User();
+    user.set({
+      username: 'user1',
+      password: 'password'
+    });
+    user2.set({
+      username: 'user2',
+      password: 'password'
+    });
+    const obj = new Parse.Object('AnObject');
+    const obj2 = new Parse.Object('AnObject');
+    user.signUp().then(() => {
+      return user2.signUp()
+    }).then(() => {
+      Parse.User.logOut();
+    }).then(() => {
+      obj.set('owner', user);
+      return Parse.Object.saveAll([obj, obj2]);
+    }).then(() => {
+      return config.database.loadSchema().then((schema) => {
+        return schema.updateClass('AnObject', {}, {find: {}, get:{}, readUserFields: ['owner']})
+      });
+    }).then(() => {
+      return Parse.User.logIn('user1', 'password');
+    }).then(() => {
+      const q = new Parse.Query('AnObject');
+      q.equalTo('owner', user2);
+      return q.find();
+    }).then((res) => {
+      expect(res.length).toBe(0);
+      done();
+    }).catch((err) => {
+      jfail(err);
+      fail('should not fail');
+      done();
+    })
+  });
+
  it('should not allow creating objects', (done) => {
    const config = new Config(Parse.applicationId);
    const user = new Parse.User();
--- a/src/Controllers/DatabaseController.js
+++ b/src/Controllers/DatabaseController.js
@@ -941,7 +941,14 @@ DatabaseController.prototype.addPointerPermissions = function(schema, className,
      const q = {
        [key]: userPointer
      };
-      return {'$and': [q, query]};
+      // if we already have a constraint on the key, use the $and
+      if (query.hasOwnProperty(key)) {
+        return {'$and': [q, query]};
+      }
+      // otherwise just add the constaint
+      return Object.assign({}, query, {
+        [`${key}`]: userPointer,
+      })
    });
    if (ors.length > 1) {
      return {'$or': ors};
--- a/src/RestQuery.js
+++ b/src/RestQuery.js
@@ -635,7 +635,13 @@ function includePath(config, auth, response, path, restOptions = {}) {
  }

  const queryPromises = Object.keys(pointersHash).map((className) => {
-    const where = {'objectId': {'$in': Array.from(pointersHash[className])}};
+    const objectIds = Array.from(pointersHash[className]);
+    let where;
+    if (objectIds.length === 1) {
+      where = {'objectId': objectIds[0]};
+    } else {
+      where = {'objectId': {'$in': objectIds}};
+    }
    var query = new RestQuery(config, auth, className, where, includeRestOptions);
    return query.execute({op: 'get'}).then((results) => {
      results.className = className;
--- a/src/RestWrite.js
+++ b/src/RestWrite.js
@@ -102,8 +102,7 @@ RestWrite.prototype.getUserAndRoleACL = function() {

  if (this.auth.user) {
    return this.auth.getUserRoles().then((roles) => {
-      roles.push(this.auth.user.id);
-      this.runOptions.acl = this.runOptions.acl.concat(roles);
+      this.runOptions.acl = this.runOptions.acl.concat(roles, [this.auth.user.id]);
      return;
    });
  } else {