feat: Add default ACL (#8701)

2025-03-25 01:15:27 +11:00
parent b9917dd734
commit 12b5d781dc
10 changed files with 245 additions and 5 deletions
--- a/src/Adapters/Storage/Mongo/MongoSchemaCollection.js
+++ b/src/Adapters/Storage/Mongo/MongoSchemaCollection.js
@@ -76,6 +76,12 @@ const emptyCLPS = Object.freeze({
 });

 const defaultCLPS = Object.freeze({
+  ACL: {
+    '*': {
+      read: true,
+      write: true,
+    },
+  },
  find: { '*': true },
  count: { '*': true },
  get: { '*': true },
--- a/src/Adapters/Storage/Postgres/PostgresStorageAdapter.js
+++ b/src/Adapters/Storage/Postgres/PostgresStorageAdapter.js
@@ -127,6 +127,12 @@ const emptyCLPS = Object.freeze({
 });

 const defaultCLPS = Object.freeze({
+  ACL: {
+    '*': {
+      read: true,
+      write: true,
+    },
+  },
  find: { '*': true },
  get: { '*': true },
  count: { '*': true },
--- a/src/Controllers/SchemaController.js
+++ b/src/Controllers/SchemaController.js
@@ -255,6 +255,7 @@ function validateProtectedFieldsKey(key, userIdRegExp) {
 }

 const CLPValidKeys = Object.freeze([
+  'ACL',
  'find',
  'count',
  'get',
@@ -364,13 +365,34 @@ function validateCLP(perms: ClassLevelPermissions, fields: SchemaFields, userIdR
        continue;
      }

-      // or [entity]: boolean
      const permit = operation[entity];

-      if (permit !== true) {
+      if (operationKey === 'ACL') {
+        if (Object.prototype.toString.call(permit) !== '[object Object]') {
+          throw new Parse.Error(
+            Parse.Error.INVALID_JSON,
+            `'${permit}' is not a valid value for class level permissions acl`
+          );
+        }
+        const invalidKeys = Object.keys(permit).filter(key => !['read', 'write'].includes(key));
+        const invalidValues = Object.values(permit).filter(key => typeof key !== 'boolean');
+        if (invalidKeys.length) {
+          throw new Parse.Error(
+            Parse.Error.INVALID_JSON,
+            `'${invalidKeys.join(',')}' is not a valid key for class level permissions acl`
+          );
+        }
+
+        if (invalidValues.length) {
+          throw new Parse.Error(
+            Parse.Error.INVALID_JSON,
+            `'${invalidValues.join(',')}' is not a valid value for class level permissions acl`
+          );
+        }
+      } else if (permit !== true) {
        throw new Parse.Error(
          Parse.Error.INVALID_JSON,
-          `'${permit}' is not a valid value for class level permissions ${operationKey}:${entity}:${permit}`
+          `'${permit}' is not a valid value for class level permissions acl ${operationKey}:${entity}`
        );
      }
    }
--- a/src/Controllers/types.js
+++ b/src/Controllers/types.js
@@ -19,6 +19,11 @@ export type Schema = {
 };

 export type ClassLevelPermissions = {
+  ACL?: {
+    [string]: {
+      [string]: boolean,
+    },
+  },
  find?: { [string]: boolean },
  count?: { [string]: boolean },
  get?: { [string]: boolean },
--- a/src/RestWrite.js
+++ b/src/RestWrite.js
@@ -367,6 +367,25 @@ RestWrite.prototype.setRequiredFieldsIfNeeded = function () {
        }
      };

+      // add default ACL
+      if (
+        schema?.classLevelPermissions?.ACL &&
+        !this.data.ACL &&
+        JSON.stringify(schema.classLevelPermissions.ACL) !==
+          JSON.stringify({ '*': { read: true, write: true } })
+      ) {
+        const acl = deepcopy(schema.classLevelPermissions.ACL);
+        if (acl.currentUser) {
+          if (this.auth.user?.id) {
+            acl[this.auth.user?.id] = deepcopy(acl.currentUser);
+          }
+          delete acl.currentUser;
+        }
+        this.data.ACL = acl;
+        this.storage.fieldsChangedByTrigger = this.storage.fieldsChangedByTrigger || [];
+        this.storage.fieldsChangedByTrigger.push('ACL');
+      }
+
      // Add default fields
      if (!this.query) {
        // allow customizing createdAt and updatedAt when using maintenance key