requiresAuthentication is self-sufficient for ACL's (#3784)

* Adds test to reproduce issue #3753 * Consider requiresAuthentication as the same level as other CLP * Better testing
2017-05-11 11:09:06 -04:00
parent 877ef78b5e
commit 10c7cb0bfa
2 changed files with 56 additions and 5 deletions
--- a/spec/Schema.spec.js
+++ b/spec/Schema.spec.js
@@ -1215,4 +1215,57 @@ describe('Class Level Permissions for requiredAuth', () => {
      done();
    });
  });
+
+  it('required auth test create/get/update/delete with roles (#3753)', (done) => {
+    let user;
+    config.database.loadSchema().then((schema) => {
+      // Just to create a valid class
+      return schema.validateObject('Stuff', {foo: 'bar'});
+    }).then((schema) => {
+      return schema.setPermissions('Stuff', {
+        'find': {
+          'requiresAuthentication': true,
+          'role:admin': true
+        },
+        'create': { 'role:admin': true },
+        'update': { 'role:admin': true },
+        'delete': { 'role:admin': true },
+        'get': {
+          'requiresAuthentication': true,
+          'role:admin': true
+        }
+      });
+    }).then(() => {
+      const stuff = new Parse.Object('Stuff');
+      stuff.set('foo', 'bar');
+      return stuff.save(null, {useMasterKey: true}).then(() => {
+        const query = new Parse.Query('Stuff');
+        return query.get(stuff.id).then(() => {
+          done.fail('should not succeed');
+        }, () => {
+          return new Parse.Query('Stuff').find();
+        }).then(() => {
+          done.fail('should not succeed');
+        }, () => {
+          return Promise.resolve();
+        });
+      }).then(() => {
+        return Parse.User.signUp('user', 'password').then((signedUpUser) => {
+          user = signedUpUser;
+          const query = new Parse.Query('Stuff');
+          return query.get(stuff.id, {sessionToken: user.getSessionToken()});
+        });
+      });
+    }).then((result) => {
+      expect(result.get('foo')).toEqual('bar');
+      const query = new Parse.Query('Stuff');
+      return query.find({sessionToken: user.getSessionToken()});
+    }).then((results) => {
+      expect(results.length).toBe(1);
+      done();
+    }, (e) => {
+      console.error(e);
+      done.fail(e);
+    });
+  });
 })
--- a/src/Controllers/SchemaController.js
+++ b/src/Controllers/SchemaController.js
@@ -813,11 +813,9 @@ export default class SchemaController {
        throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND,
        'Permission denied, user needs to be authenticated.');
      }
-      // no other CLP than requiresAuthentication
-      // let's resolve that!
-      if (Object.keys(perms).length == 1) {
-        return Promise.resolve();
-      }
+      // requiresAuthentication passed, just move forward
+      // probably would be wise at some point to rename to 'authenticatedUser'
+      return Promise.resolve();
    }

    // No matching CLP, let's check the Pointer permissions