From 3b0ab809653dba2b0f47370c563b5cdd8bd0fc5c Mon Sep 17 00:00:00 2001
From: Peter Theill <peter@theill.com>
Date: Sun, 7 Feb 2016 13:51:32 +0100
Subject: [PATCH] Require masterKey when performing config updates

---
 global_config.js | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/global_config.js b/global_config.js
index 56eafc3c..cba5c790 100644
--- a/global_config.js
+++ b/global_config.js
@@ -8,6 +8,10 @@ var router = new PromiseRouter();
 
 // Returns a promise for a {response} object.
 function handleUpdateGlobalConfig(req) {
+  if (!req.auth.isMaster) {
+    throw new Parse.Error(Parse.Error.OPERATION_FORBIDDEN, 'Config updates requires valid masterKey.');
+  }
+
   return rest.update(req.config, req.auth,
                      '_GlobalConfig', 1, req.body)
   .then((response) => {