joe/kami-parse-server
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Removes blacklisting, *-but test case

Browse Source
This commit is contained in:
Florent Vilmart
2016-03-10 19:20:05 -05:00
parent b1d399bf80
commit 16e3529c96
2 changed files with 13 additions and 92 deletions
Download Patch File Download Diff File Expand all files Collapse all files

78
spec/schemas.spec.js
View File

@@ -1408,10 +1408,7 @@ describe('schemas', () => {
role.relation('users').add(admin);
return role.save(null, {useMasterKey: true}).then(() => {
let perm = {
'find': {
// Admins can't read
'role:admin': false
}
find: {}
};
// let the user find
perm['find'][user.id] = true;
@@ -1455,76 +1452,5 @@ describe('schemas', () => {
}).then(() => {
done();
});
});
it('validate CLP 6', done => {
let user = new Parse.User();
user.setUsername('user');
user.setPassword('user');
let user2 = new Parse.User();
user2.setUsername('user2');
user2.setPassword('user2');
let admin = new Parse.User();
admin.setUsername('admin');
admin.setPassword('admin');
let role = new Parse.Role('admin', new Parse.ACL());
Promise.resolve().then(() => {
return Parse.Object.saveAll([user, user2, admin, role], {useMasterKey: true});
}).then(()=> {
role.relation('users').add(admin);
return role.save(null, {useMasterKey: true}).then(() => {
let perm = {
'find': {
// Anyone can find
'*': true
}
};
// but the user can't
perm['find'][user.id] = false;
return setPermissionsOnClass('AClass', perm);
})
}).then(() => {
return Parse.User.logIn('user', 'user').then(() => {
let obj = new Parse.Object('AClass');
return obj.save();
})
}).then(() => {
let query = new Parse.Query('AClass');
return query.find().then((res) => {
fail('User should not be able to find!')
return Promise.resolve();
}, (err) => {
expect(err.message).toEqual('Permission denied for this action.');
return Promise.resolve();
})
}).then(() => {
return Parse.User.logIn('admin', 'admin');
}).then( () => {
let query = new Parse.Query('AClass');
return query.find();
}).then((results) => {
expect(results.length).toEqual(1);
return Promise.resolve();
}, (err) => {
fail('Should find the object as admin');
return Promise.resolve();
}).then(() => {
return Parse.User.logIn('user2', 'user2');
}).then( () => {
let query = new Parse.Query('AClass');
return query.find();
}).then((results) => {
expect(results.length).toEqual(1);
return Promise.resolve();
}, (err) => {
fail('Should find the object as user2');
return Promise.resolve();
}).then(() => {
done();
});
});
});
});

27
src/Schema.js
View File

@@ -107,7 +107,7 @@ function validateCLP(perms) {
Object.keys(perms[operation]).forEach((key) => {
verifyPermissionKey(key);
let perm = perms[operation][key];
if (perm !== true && perm !== false) {
if (perm !== true) {
throw new Parse.Error(Parse.Error.INVALID_JSON, `'${perm}' is not a valid value for class level permissions ${operation}:${key}:${perm}`);
}
});
@@ -585,22 +585,17 @@ class Schema {
return Promise.resolve();
}
var perms = this.perms[className][operation];
// Check permissions against the aclGroup provided (array of userId/roles)
// if perms has a public, check the blacklist
let startfound = perms['*'] ? true : undefined;
let found = aclGroup.reduce((memo, acl) => {
let perm = perms[acl];
// We have a black listed permission
if (perm === false) {
return false;
// Handle the public scenario quickly
if (perms['*']) {
return Promise.resolve();
}
// Check permissions against the aclGroup provided (array of userId/roles)
var found = false;
for (var i = 0; i < aclGroup.length && !found; i++) {
if (perms[aclGroup[i]]) {
found = true;
}
// the memo is not blacklisted
if (perm === true && memo !== false) {
return true;
}
return memo;
}, startfound);
}
if (!found) {
// TODO: Verify correct error code
throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND,