* Fixes an issue that would let the beforeDelete be called when user has no access to the object * Ensure we properly lock user - Improves find method so we can attempt to read for a write poking the right ACL instead of using masterKey - This ensure we do not run beforeDelete/beforeFind/beforeSave in the wrong scenarios * nits * Caps insufficient
This commit is contained in:
Florent Vilmart
GitHub
@@ -965,7 +965,7 @@ RestWrite.prototype.runDatabaseOperation = function() {
|
||||
|
||||
if (this.className === '_User' &&
|
||||
this.query &&
|
||||
!this.auth.couldUpdateUserId(this.query.objectId)) {
|
||||
this.auth.isUnauthenticated()) {
|
||||
throw new Parse.Error(Parse.Error.SESSION_MISSING, `Cannot modify user ${this.query.objectId}.`);
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user