From 1f22ee36e79a1c0c6f9ac3d871260679414aea52 Mon Sep 17 00:00:00 2001
From: Florent Vilmart <florent@flovilmart.com>
Date: Fri, 1 Dec 2017 09:16:58 -0500
Subject: [PATCH] =?UTF-8?q?=E2=9A=A1=20Release=202.7.1?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

(#4410)
* Adds failing test for 4409

* Adds fix

* :zap: Release 2.7.1
---
 CHANGELOG.md                                  |  9 ++++++
 package.json                                  |  2 +-
 spec/schemas.spec.js                          | 30 +++++++++++++++++++
 .../Storage/Mongo/MongoStorageAdapter.js      |  6 ++--
 4 files changed, 43 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ca6cb0bb..03c0ea07 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,9 +3,18 @@
 ### master
 [Full Changelog](https://github.com/parse-community/parse-server/compare/2.7.0...master)
 
+### 2.7.1
+[Full Changelog](https://github.com/parse-community/parse-server/compare/2.7.1...2.7.0)
+
+:warning: Fixes a security issue affecting Class Level Permissions
+
+* Adds support for dot notation when using matchesKeyInQuery, thanks to [Henrik](https://github.com/bohemima) and [Arthur Cinader](https://github.com/acinader)
+
 ### 2.7.0
 [Full Changelog](https://github.com/parse-community/parse-server/compare/2.7.0...2.6.5)
 
+:warning: This version contains an issue affecting Class Level Permissions on mongoDB. Please upgrade to 2.7.1.
+
 Starting parse-server 2.7.0, the minimun nodejs version is 6.11.4, please update your engines before updating parse-server
 
 #### New Features:
diff --git a/package.json b/package.json
index 72e7533f..0a6ce609 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "parse-server",
-  "version": "2.7.0",
+  "version": "2.7.1",
   "description": "An express module providing a Parse-compatible API server",
   "main": "lib/index.js",
   "repository": {
diff --git a/spec/schemas.spec.js b/spec/schemas.spec.js
index 8c7481d9..8f689d71 100644
--- a/spec/schemas.spec.js
+++ b/spec/schemas.spec.js
@@ -2,6 +2,7 @@
 
 var Parse = require('parse/node').Parse;
 var request = require('request');
+const rp = require('request-promise');
 var dd = require('deep-diff');
 var Config = require('../src/Config');
 
@@ -1721,6 +1722,35 @@ describe('schemas', () => {
     });
   });
 
+
+  it("regression test for #4409 (indexes override the clp)", done => {
+    setPermissionsOnClass('_Role', {
+      'get': {"*": true},
+      'find': {"*": true},
+      'create': {'*': true},
+    }, true).then(() => {
+      const config = Config.get('test');
+      return config.database.adapter.updateSchemaWithIndexes();
+    }).then(() => {
+      return rp.get({
+        url: 'http://localhost:8378/1/schemas/_Role',
+        headers: masterKeyHeaders,
+        json: true,
+      });
+    }).then((res) => {
+      expect(res.classLevelPermissions).toEqual({
+        'get': {"*": true},
+        'find': {"*": true},
+        'create': {'*': true},
+        'update': {},
+        'delete': {},
+        'addField': {},
+      });
+      console.log(res);
+    }).then(done).catch(done.fail);
+  });
+
+
   it('regression test for #2246', done => {
     const profile = new Parse.Object('UserProfile');
     const user = new Parse.User();
diff --git a/src/Adapters/Storage/Mongo/MongoStorageAdapter.js b/src/Adapters/Storage/Mongo/MongoStorageAdapter.js
index cd70cf9b..5158e58c 100644
--- a/src/Adapters/Storage/Mongo/MongoStorageAdapter.js
+++ b/src/Adapters/Storage/Mongo/MongoStorageAdapter.js
@@ -166,7 +166,7 @@ export class MongoStorageAdapter {
   setClassLevelPermissions(className, CLPs) {
     return this._schemaCollection()
       .then(schemaCollection => schemaCollection.updateSchema(className, {
-        $set: { _metadata: { class_permissions: CLPs } }
+        $set: { '_metadata.class_permissions': CLPs }
       }));
   }
 
@@ -212,7 +212,7 @@ export class MongoStorageAdapter {
       .then(() => insertPromise)
       .then(() => this._schemaCollection())
       .then(schemaCollection => schemaCollection.updateSchema(className, {
-        $set: { _metadata: { indexes: existingIndexes } }
+        $set: { '_metadata.indexes':  existingIndexes }
       }));
   }
 
@@ -231,7 +231,7 @@ export class MongoStorageAdapter {
       }, {});
       return this._schemaCollection()
         .then(schemaCollection => schemaCollection.updateSchema(className, {
-          $set: { _metadata: { indexes: indexes } }
+          $set: { '_metadata.indexes': indexes }
         }));
     }).catch(() => {
       // Ignore if collection not found