From 559205bc64d4983116fcc335bdc598c4135cf1bb Mon Sep 17 00:00:00 2001 From: Drew Gross Date: Wed, 18 May 2016 13:49:31 -0700 Subject: [PATCH] Lift no-query-ACL validation out of transformWhere --- src/Adapters/Storage/Mongo/MongoStorageAdapter.js | 3 +++ src/Adapters/Storage/Mongo/MongoTransform.js | 9 ++++++--- src/Controllers/DatabaseController.js | 6 ++++++ 3 files changed, 15 insertions(+), 3 deletions(-) diff --git a/src/Adapters/Storage/Mongo/MongoStorageAdapter.js b/src/Adapters/Storage/Mongo/MongoStorageAdapter.js index 81af4e97..9096d4b8 100644 --- a/src/Adapters/Storage/Mongo/MongoStorageAdapter.js +++ b/src/Adapters/Storage/Mongo/MongoStorageAdapter.js @@ -184,6 +184,9 @@ export class MongoStorageAdapter { deleteObjectsByQuery(className, query, validate, schema) { return this.adaptiveCollection(className) .then(collection => { + if (query.ACL) { + throw new Parse.Error(Parse.Error.INVALID_QUERY, 'Cannot query on ACL.'); + } let mongoWhere = transform.transformWhere(className, query, { validate }, schema); return collection.deleteMany(mongoWhere) }) diff --git a/src/Adapters/Storage/Mongo/MongoTransform.js b/src/Adapters/Storage/Mongo/MongoTransform.js index 5be57583..a7aee55a 100644 --- a/src/Adapters/Storage/Mongo/MongoTransform.js +++ b/src/Adapters/Storage/Mongo/MongoTransform.js @@ -170,11 +170,17 @@ function transformQueryKeyValue(className, key, value, schema) { if (!(value instanceof Array)) { throw new Parse.Error(Parse.Error.INVALID_QUERY, 'bad $or format - use an array value'); } + if (value.some(subQuery => subQuery.ACL)) { + throw new Parse.Error(Parse.Error.INVALID_QUERY, 'Cannot query on ACL.'); + } return {key: '$or', value: value.map(subQuery => transformWhere(className, subQuery, {}, schema))}; case '$and': if (!(value instanceof Array)) { throw new Parse.Error(Parse.Error.INVALID_QUERY, 'bad $and format - use an array value'); } + if (value.some(subQuery => subQuery.ACL)) { + throw new Parse.Error(Parse.Error.INVALID_QUERY, 'Cannot query on ACL.'); + } return {key: '$and', value: value.map(subQuery => transformWhere(className, subQuery, {}, schema))}; default: // Other auth data @@ -224,9 +230,6 @@ function transformQueryKeyValue(className, key, value, schema) { const specialQuerykeys = ['$and', '$or', '_rperm', '_wperm', '_perishable_token', '_email_verify_token']; function transformWhere(className, restWhere, { validate = true } = {}, schema) { let mongoWhere = {}; - if (restWhere['ACL']) { - throw new Parse.Error(Parse.Error.INVALID_QUERY, 'Cannot query on ACL.'); - } for (let restKey in restWhere) { if (validate && !specialQuerykeys.includes(restKey) && !restKey.match(/^[a-zA-Z][a-zA-Z0-9_\.]*$/)) { throw new Parse.Error(Parse.Error.INVALID_KEY_NAME, `Invalid key name: ${restKey}`); diff --git a/src/Controllers/DatabaseController.js b/src/Controllers/DatabaseController.js index fefd5afe..ac0ada29 100644 --- a/src/Controllers/DatabaseController.js +++ b/src/Controllers/DatabaseController.js @@ -184,6 +184,9 @@ DatabaseController.prototype.update = function(className, query, update, { throw error; }) .then(parseFormatSchema => { + if (query.ACL) { + throw new Parse.Error(Parse.Error.INVALID_QUERY, 'Cannot query on ACL.'); + } var mongoWhere = this.transform.transformWhere(className, query, {validate: !this.skipValidation}, parseFormatSchema); mongoUpdate = this.transform.transformUpdate( schemaController, @@ -668,6 +671,9 @@ DatabaseController.prototype.find = function(className, query, { if (!isMaster) { query = addReadACL(query, aclGroup); } + if (query.ACL) { + throw new Parse.Error(Parse.Error.INVALID_QUERY, 'Cannot query on ACL.'); + } let mongoWhere = this.transform.transformWhere(className, query, {}, schema); if (count) { delete mongoOptions.limit;