Removes blacklisting, *-but test case
This commit is contained in:
Florent Vilmart
@@ -1408,10 +1408,7 @@ describe('schemas', () => {
|
|||||||
role.relation('users').add(admin);
|
role.relation('users').add(admin);
|
||||||
return role.save(null, {useMasterKey: true}).then(() => {
|
return role.save(null, {useMasterKey: true}).then(() => {
|
||||||
let perm = {
|
let perm = {
|
||||||
'find': {
|
find: {}
|
||||||
// Admins can't read
|
|
||||||
'role:admin': false
|
|
||||||
}
|
|
||||||
};
|
};
|
||||||
// let the user find
|
// let the user find
|
||||||
perm['find'][user.id] = true;
|
perm['find'][user.id] = true;
|
||||||
@@ -1456,75 +1453,4 @@ describe('schemas', () => {
|
|||||||
done();
|
done();
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
it('validate CLP 6', done => {
|
|
||||||
let user = new Parse.User();
|
|
||||||
user.setUsername('user');
|
|
||||||
user.setPassword('user');
|
|
||||||
|
|
||||||
let user2 = new Parse.User();
|
|
||||||
user2.setUsername('user2');
|
|
||||||
user2.setPassword('user2');
|
|
||||||
let admin = new Parse.User();
|
|
||||||
admin.setUsername('admin');
|
|
||||||
admin.setPassword('admin');
|
|
||||||
|
|
||||||
let role = new Parse.Role('admin', new Parse.ACL());
|
|
||||||
|
|
||||||
Promise.resolve().then(() => {
|
|
||||||
return Parse.Object.saveAll([user, user2, admin, role], {useMasterKey: true});
|
|
||||||
}).then(()=> {
|
|
||||||
role.relation('users').add(admin);
|
|
||||||
return role.save(null, {useMasterKey: true}).then(() => {
|
|
||||||
let perm = {
|
|
||||||
'find': {
|
|
||||||
// Anyone can find
|
|
||||||
'*': true
|
|
||||||
}
|
|
||||||
};
|
|
||||||
// but the user can't
|
|
||||||
perm['find'][user.id] = false;
|
|
||||||
return setPermissionsOnClass('AClass', perm);
|
|
||||||
})
|
|
||||||
}).then(() => {
|
|
||||||
return Parse.User.logIn('user', 'user').then(() => {
|
|
||||||
let obj = new Parse.Object('AClass');
|
|
||||||
return obj.save();
|
|
||||||
})
|
|
||||||
}).then(() => {
|
|
||||||
let query = new Parse.Query('AClass');
|
|
||||||
return query.find().then((res) => {
|
|
||||||
fail('User should not be able to find!')
|
|
||||||
return Promise.resolve();
|
|
||||||
}, (err) => {
|
|
||||||
expect(err.message).toEqual('Permission denied for this action.');
|
|
||||||
return Promise.resolve();
|
|
||||||
})
|
|
||||||
}).then(() => {
|
|
||||||
return Parse.User.logIn('admin', 'admin');
|
|
||||||
}).then( () => {
|
|
||||||
let query = new Parse.Query('AClass');
|
|
||||||
return query.find();
|
|
||||||
}).then((results) => {
|
|
||||||
expect(results.length).toEqual(1);
|
|
||||||
return Promise.resolve();
|
|
||||||
}, (err) => {
|
|
||||||
fail('Should find the object as admin');
|
|
||||||
return Promise.resolve();
|
|
||||||
}).then(() => {
|
|
||||||
return Parse.User.logIn('user2', 'user2');
|
|
||||||
}).then( () => {
|
|
||||||
let query = new Parse.Query('AClass');
|
|
||||||
return query.find();
|
|
||||||
}).then((results) => {
|
|
||||||
expect(results.length).toEqual(1);
|
|
||||||
return Promise.resolve();
|
|
||||||
}, (err) => {
|
|
||||||
fail('Should find the object as user2');
|
|
||||||
return Promise.resolve();
|
|
||||||
}).then(() => {
|
|
||||||
done();
|
|
||||||
});
|
|
||||||
});
|
|
||||||
|
|
||||||
});
|
});
|
||||||
|
|||||||
@@ -107,7 +107,7 @@ function validateCLP(perms) {
|
|||||||
Object.keys(perms[operation]).forEach((key) => {
|
Object.keys(perms[operation]).forEach((key) => {
|
||||||
verifyPermissionKey(key);
|
verifyPermissionKey(key);
|
||||||
let perm = perms[operation][key];
|
let perm = perms[operation][key];
|
||||||
if (perm !== true && perm !== false) {
|
if (perm !== true) {
|
||||||
throw new Parse.Error(Parse.Error.INVALID_JSON, `'${perm}' is not a valid value for class level permissions ${operation}:${key}:${perm}`);
|
throw new Parse.Error(Parse.Error.INVALID_JSON, `'${perm}' is not a valid value for class level permissions ${operation}:${key}:${perm}`);
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
@@ -585,22 +585,17 @@ class Schema {
|
|||||||
return Promise.resolve();
|
return Promise.resolve();
|
||||||
}
|
}
|
||||||
var perms = this.perms[className][operation];
|
var perms = this.perms[className][operation];
|
||||||
|
// Handle the public scenario quickly
|
||||||
|
if (perms['*']) {
|
||||||
|
return Promise.resolve();
|
||||||
|
}
|
||||||
// Check permissions against the aclGroup provided (array of userId/roles)
|
// Check permissions against the aclGroup provided (array of userId/roles)
|
||||||
// if perms has a public, check the blacklist
|
var found = false;
|
||||||
let startfound = perms['*'] ? true : undefined;
|
for (var i = 0; i < aclGroup.length && !found; i++) {
|
||||||
let found = aclGroup.reduce((memo, acl) => {
|
if (perms[aclGroup[i]]) {
|
||||||
let perm = perms[acl];
|
found = true;
|
||||||
// We have a black listed permission
|
|
||||||
if (perm === false) {
|
|
||||||
return false;
|
|
||||||
}
|
}
|
||||||
// the memo is not blacklisted
|
}
|
||||||
if (perm === true && memo !== false) {
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
return memo;
|
|
||||||
}, startfound);
|
|
||||||
if (!found) {
|
if (!found) {
|
||||||
// TODO: Verify correct error code
|
// TODO: Verify correct error code
|
||||||
throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND,
|
throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND,
|
||||||
|
|||||||
Reference in New Issue
Block a user