requiresAuthentication is self-sufficient for ACL's (#3784)
* Adds test to reproduce issue #3753 * Consider requiresAuthentication as the same level as other CLP * Better testing
This commit is contained in:
Florent Vilmart
GitHub
@@ -1215,4 +1215,57 @@ describe('Class Level Permissions for requiredAuth', () => {
|
|||||||
done();
|
done();
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
|
it('required auth test create/get/update/delete with roles (#3753)', (done) => {
|
||||||
|
let user;
|
||||||
|
config.database.loadSchema().then((schema) => {
|
||||||
|
// Just to create a valid class
|
||||||
|
return schema.validateObject('Stuff', {foo: 'bar'});
|
||||||
|
}).then((schema) => {
|
||||||
|
return schema.setPermissions('Stuff', {
|
||||||
|
'find': {
|
||||||
|
'requiresAuthentication': true,
|
||||||
|
'role:admin': true
|
||||||
|
},
|
||||||
|
'create': { 'role:admin': true },
|
||||||
|
'update': { 'role:admin': true },
|
||||||
|
'delete': { 'role:admin': true },
|
||||||
|
'get': {
|
||||||
|
'requiresAuthentication': true,
|
||||||
|
'role:admin': true
|
||||||
|
}
|
||||||
|
});
|
||||||
|
}).then(() => {
|
||||||
|
const stuff = new Parse.Object('Stuff');
|
||||||
|
stuff.set('foo', 'bar');
|
||||||
|
return stuff.save(null, {useMasterKey: true}).then(() => {
|
||||||
|
const query = new Parse.Query('Stuff');
|
||||||
|
return query.get(stuff.id).then(() => {
|
||||||
|
done.fail('should not succeed');
|
||||||
|
}, () => {
|
||||||
|
return new Parse.Query('Stuff').find();
|
||||||
|
}).then(() => {
|
||||||
|
done.fail('should not succeed');
|
||||||
|
}, () => {
|
||||||
|
return Promise.resolve();
|
||||||
|
});
|
||||||
|
}).then(() => {
|
||||||
|
return Parse.User.signUp('user', 'password').then((signedUpUser) => {
|
||||||
|
user = signedUpUser;
|
||||||
|
const query = new Parse.Query('Stuff');
|
||||||
|
return query.get(stuff.id, {sessionToken: user.getSessionToken()});
|
||||||
|
});
|
||||||
|
});
|
||||||
|
}).then((result) => {
|
||||||
|
expect(result.get('foo')).toEqual('bar');
|
||||||
|
const query = new Parse.Query('Stuff');
|
||||||
|
return query.find({sessionToken: user.getSessionToken()});
|
||||||
|
}).then((results) => {
|
||||||
|
expect(results.length).toBe(1);
|
||||||
|
done();
|
||||||
|
}, (e) => {
|
||||||
|
console.error(e);
|
||||||
|
done.fail(e);
|
||||||
|
});
|
||||||
|
});
|
||||||
})
|
})
|
||||||
|
|||||||
@@ -813,11 +813,9 @@ export default class SchemaController {
|
|||||||
throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND,
|
throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND,
|
||||||
'Permission denied, user needs to be authenticated.');
|
'Permission denied, user needs to be authenticated.');
|
||||||
}
|
}
|
||||||
// no other CLP than requiresAuthentication
|
// requiresAuthentication passed, just move forward
|
||||||
// let's resolve that!
|
// probably would be wise at some point to rename to 'authenticatedUser'
|
||||||
if (Object.keys(perms).length == 1) {
|
return Promise.resolve();
|
||||||
return Promise.resolve();
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// No matching CLP, let's check the Pointer permissions
|
// No matching CLP, let's check the Pointer permissions
|
||||||
|
|||||||
Reference in New Issue
Block a user