Granular CLP pointer permissions (#6352)

* set pointer permissions per operatioon; tests * more tests * fixes addField permission; tests
2020-01-28 09:21:30 +03:00
parent 4beb89fc2e
commit 3c46117d9b
10 changed files with 1380 additions and 37 deletions
--- a/spec/ParseObject.spec.js
+++ b/spec/ParseObject.spec.js
@@ -313,7 +313,15 @@ describe('Parse.Object testing', () => {

  it('invalid __type', function(done) {
    const item = new Parse.Object('Item');
-    const types = ['Pointer', 'File', 'Date', 'GeoPoint', 'Bytes', 'Polygon'];
+    const types = [
+      'Pointer',
+      'File',
+      'Date',
+      'GeoPoint',
+      'Bytes',
+      'Polygon',
+      'Relation',
+    ];
    const tests = types.map(type => {
      const test = new Parse.Object('Item');
      test.set('foo', {
--- a/spec/PointerPermissions.spec.js
+++ b/spec/PointerPermissions.spec.js
--- a/spec/ProtectedFields.spec.js
+++ b/spec/ProtectedFields.spec.js
@@ -758,4 +758,37 @@ describe('ProtectedFields', function() {
      });
    });
  });
+
+  describe('schema setup', () => {
+    const className = 'AObject';
+    async function updateCLP(clp) {
+      const config = Config.get(Parse.applicationId);
+      const schemaController = await config.database.loadSchema();
+
+      await schemaController.updateClass(className, {}, clp);
+    }
+
+    it('should fail setting non-existing protected field', async () => {
+      const object = new Parse.Object(className, {
+        revision: 0,
+      });
+      await object.save();
+
+      const field = 'non-existing';
+      const entity = '*';
+
+      await expectAsync(
+        updateCLP({
+          protectedFields: {
+            [entity]: [field],
+          },
+        })
+      ).toBeRejectedWith(
+        new Parse.Error(
+          Parse.Error.INVALID_JSON,
+          `Field '${field}' in protectedFields:${entity} does not exist`
+        )
+      );
+    });
+  });
 });
--- a/spec/Schema.spec.js
+++ b/spec/Schema.spec.js
@@ -1665,7 +1665,7 @@ describe('Class Level Permissions for requiredAuth', () => {
      );
  });

-  it('required auth test get not authenitcated', done => {
+  it('required auth test get not authenticated', done => {
    config.database
      .loadSchema()
      .then(schema => {
@@ -1704,7 +1704,7 @@ describe('Class Level Permissions for requiredAuth', () => {
      );
  });

-  it('required auth test find not authenitcated', done => {
+  it('required auth test find not authenticated', done => {
    config.database
      .loadSchema()
      .then(schema => {
--- a/spec/schemas.spec.js
+++ b/spec/schemas.spec.js
@@ -2752,6 +2752,115 @@ describe('schemas', () => {
      );
  });

+  it('should reject creating class schema with field with invalid key', async done => {
+    const config = Config.get(Parse.applicationId);
+    const schemaController = await config.database.loadSchema();
+
+    const fieldName = '1invalid';
+
+    const schemaCreation = () =>
+      schemaController.addClassIfNotExists('AnObject', {
+        [fieldName]: { __type: 'String' },
+      });
+
+    await expectAsync(schemaCreation()).toBeRejectedWith(
+      new Parse.Error(
+        Parse.Error.INVALID_KEY_NAME,
+        `invalid field name: ${fieldName}`
+      )
+    );
+    done();
+  });
+
+  it('should reject creating invalid field name', async done => {
+    const object = new Parse.Object('AnObject');
+
+    await expectAsync(
+      object.save({
+        '!12field': 'field',
+      })
+    ).toBeRejectedWith(new Parse.Error(Parse.Error.INVALID_KEY_NAME));
+    done();
+  });
+
+  it('should be rejected if CLP operation is not an object', async done => {
+    const config = Config.get(Parse.applicationId);
+    const schemaController = await config.database.loadSchema();
+
+    const operationKey = 'get';
+    const operation = true;
+
+    const schemaSetup = async () =>
+      await schemaController.addClassIfNotExists(
+        'AnObject',
+        {},
+        {
+          [operationKey]: operation,
+        }
+      );
+
+    await expectAsync(schemaSetup()).toBeRejectedWith(
+      new Parse.Error(
+        Parse.Error.INVALID_JSON,
+        `'${operation}' is not a valid value for class level permissions ${operationKey} - must be an object`
+      )
+    );
+
+    done();
+  });
+
+  it('should be rejected if CLP protectedFields is not an object', async done => {
+    const config = Config.get(Parse.applicationId);
+    const schemaController = await config.database.loadSchema();
+
+    const operationKey = 'get';
+    const operation = 'wrongtype';
+
+    const schemaSetup = async () =>
+      await schemaController.addClassIfNotExists(
+        'AnObject',
+        {},
+        {
+          [operationKey]: operation,
+        }
+      );
+
+    await expectAsync(schemaSetup()).toBeRejectedWith(
+      new Parse.Error(
+        Parse.Error.INVALID_JSON,
+        `'${operation}' is not a valid value for class level permissions ${operationKey} - must be an object`
+      )
+    );
+
+    done();
+  });
+
+  it('should be rejected if CLP read/writeUserFields is not an array', async done => {
+    const config = Config.get(Parse.applicationId);
+    const schemaController = await config.database.loadSchema();
+
+    const operationKey = 'readUserFields';
+    const operation = true;
+
+    const schemaSetup = async () =>
+      await schemaController.addClassIfNotExists(
+        'AnObject',
+        {},
+        {
+          [operationKey]: operation,
+        }
+      );
+
+    await expectAsync(schemaSetup()).toBeRejectedWith(
+      new Parse.Error(
+        Parse.Error.INVALID_JSON,
+        `'${operation}' is not a valid value for class level permissions ${operationKey} - must be an array`
+      )
+    );
+
+    done();
+  });
+
  describe('index management', () => {
    beforeEach(() => require('../lib/TestUtils').destroyAllDataPermanently());
    it('cannot create index if field does not exist', done => {