* Fixes an issue that would let the beforeDelete be called when user has no access to the object * Ensure we properly lock user - Improves find method so we can attempt to read for a write poking the right ACL instead of using masterKey - This ensure we do not run beforeDelete/beforeFind/beforeSave in the wrong scenarios * nits * Caps insufficient
This commit is contained in:
Florent Vilmart
GitHub
12
src/Auth.js
12
src/Auth.js
@@ -21,14 +21,14 @@ function Auth({ config, isMaster = false, isReadOnly = false, user, installation
|
||||
|
||||
// Whether this auth could possibly modify the given user id.
|
||||
// It still could be forbidden via ACLs even if this returns true.
|
||||
Auth.prototype.couldUpdateUserId = function(userId) {
|
||||
Auth.prototype.isUnauthenticated = function() {
|
||||
if (this.isMaster) {
|
||||
return true;
|
||||
return false;
|
||||
}
|
||||
if (this.user && this.user.id === userId) {
|
||||
return true;
|
||||
if (this.user) {
|
||||
return false;
|
||||
}
|
||||
return false;
|
||||
return true;
|
||||
};
|
||||
|
||||
// A helper to get a master-level Auth object
|
||||
@@ -64,7 +64,7 @@ var getAuthForSessionToken = function({ config, sessionToken, installationId } =
|
||||
return query.execute().then((response) => {
|
||||
var results = response.results;
|
||||
if (results.length !== 1 || !results[0]['user']) {
|
||||
throw new Parse.Error(Parse.Error.INVALID_SESSION_TOKEN, 'invalid session token');
|
||||
throw new Parse.Error(Parse.Error.INVALID_SESSION_TOKEN, 'Invalid session token');
|
||||
}
|
||||
|
||||
var now = new Date(),
|
||||
|
||||
Reference in New Issue
Block a user