diff --git a/spec/schemas.spec.js b/spec/schemas.spec.js index 1350c74d..40e6150b 100644 --- a/spec/schemas.spec.js +++ b/spec/schemas.spec.js @@ -1408,10 +1408,7 @@ describe('schemas', () => { role.relation('users').add(admin); return role.save(null, {useMasterKey: true}).then(() => { let perm = { - 'find': { - // Admins can't read - 'role:admin': false - } + find: {} }; // let the user find perm['find'][user.id] = true; @@ -1455,76 +1452,5 @@ describe('schemas', () => { }).then(() => { done(); }); - }); - - it('validate CLP 6', done => { - let user = new Parse.User(); - user.setUsername('user'); - user.setPassword('user'); - - let user2 = new Parse.User(); - user2.setUsername('user2'); - user2.setPassword('user2'); - let admin = new Parse.User(); - admin.setUsername('admin'); - admin.setPassword('admin'); - - let role = new Parse.Role('admin', new Parse.ACL()); - - Promise.resolve().then(() => { - return Parse.Object.saveAll([user, user2, admin, role], {useMasterKey: true}); - }).then(()=> { - role.relation('users').add(admin); - return role.save(null, {useMasterKey: true}).then(() => { - let perm = { - 'find': { - // Anyone can find - '*': true - } - }; - // but the user can't - perm['find'][user.id] = false; - return setPermissionsOnClass('AClass', perm); - }) - }).then(() => { - return Parse.User.logIn('user', 'user').then(() => { - let obj = new Parse.Object('AClass'); - return obj.save(); - }) - }).then(() => { - let query = new Parse.Query('AClass'); - return query.find().then((res) => { - fail('User should not be able to find!') - return Promise.resolve(); - }, (err) => { - expect(err.message).toEqual('Permission denied for this action.'); - return Promise.resolve(); - }) - }).then(() => { - return Parse.User.logIn('admin', 'admin'); - }).then( () => { - let query = new Parse.Query('AClass'); - return query.find(); - }).then((results) => { - expect(results.length).toEqual(1); - return Promise.resolve(); - }, (err) => { - fail('Should find the object as admin'); - return Promise.resolve(); - }).then(() => { - return Parse.User.logIn('user2', 'user2'); - }).then( () => { - let query = new Parse.Query('AClass'); - return query.find(); - }).then((results) => { - expect(results.length).toEqual(1); - return Promise.resolve(); - }, (err) => { - fail('Should find the object as user2'); - return Promise.resolve(); - }).then(() => { - done(); - }); - }); - + }); }); diff --git a/src/Schema.js b/src/Schema.js index 9b18517a..f4e1b9bf 100644 --- a/src/Schema.js +++ b/src/Schema.js @@ -107,7 +107,7 @@ function validateCLP(perms) { Object.keys(perms[operation]).forEach((key) => { verifyPermissionKey(key); let perm = perms[operation][key]; - if (perm !== true && perm !== false) { + if (perm !== true) { throw new Parse.Error(Parse.Error.INVALID_JSON, `'${perm}' is not a valid value for class level permissions ${operation}:${key}:${perm}`); } }); @@ -585,22 +585,17 @@ class Schema { return Promise.resolve(); } var perms = this.perms[className][operation]; - - // Check permissions against the aclGroup provided (array of userId/roles) - // if perms has a public, check the blacklist - let startfound = perms['*'] ? true : undefined; - let found = aclGroup.reduce((memo, acl) => { - let perm = perms[acl]; - // We have a black listed permission - if (perm === false) { - return false; + // Handle the public scenario quickly + if (perms['*']) { + return Promise.resolve(); + } + // Check permissions against the aclGroup provided (array of userId/roles) + var found = false; + for (var i = 0; i < aclGroup.length && !found; i++) { + if (perms[aclGroup[i]]) { + found = true; } - // the memo is not blacklisted - if (perm === true && memo !== false) { - return true; - } - return memo; - }, startfound); + } if (!found) { // TODO: Verify correct error code throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND,