joe/kami-parse-server
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Lift no-query-ACL validation out of transformWhere

Browse Source
This commit is contained in:
Drew Gross
2016-05-18 13:49:31 -07:00
parent 66b8a8474e
commit 559205bc64
3 changed files with 15 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
src/Adapters/Storage/Mongo/MongoStorageAdapter.js
View File

@@ -184,6 +184,9 @@ export class MongoStorageAdapter {
deleteObjectsByQuery(className, query, validate, schema) { deleteObjectsByQuery(className, query, validate, schema) {
return this.adaptiveCollection(className) return this.adaptiveCollection(className)
.then(collection => { .then(collection => {
if (query.ACL) {
throw new Parse.Error(Parse.Error.INVALID_QUERY, 'Cannot query on ACL.');
}
let mongoWhere = transform.transformWhere(className, query, { validate }, schema); let mongoWhere = transform.transformWhere(className, query, { validate }, schema);
return collection.deleteMany(mongoWhere) return collection.deleteMany(mongoWhere)
}) })

9
src/Adapters/Storage/Mongo/MongoTransform.js
View File

@@ -170,11 +170,17 @@ function transformQueryKeyValue(className, key, value, schema) {
if (!(value instanceof Array)) { if (!(value instanceof Array)) {
throw new Parse.Error(Parse.Error.INVALID_QUERY, 'bad $or format - use an array value'); throw new Parse.Error(Parse.Error.INVALID_QUERY, 'bad $or format - use an array value');
} }
if (value.some(subQuery => subQuery.ACL)) {
throw new Parse.Error(Parse.Error.INVALID_QUERY, 'Cannot query on ACL.');
}
return {key: '$or', value: value.map(subQuery => transformWhere(className, subQuery, {}, schema))}; return {key: '$or', value: value.map(subQuery => transformWhere(className, subQuery, {}, schema))};
case '$and': case '$and':
if (!(value instanceof Array)) { if (!(value instanceof Array)) {
throw new Parse.Error(Parse.Error.INVALID_QUERY, 'bad $and format - use an array value'); throw new Parse.Error(Parse.Error.INVALID_QUERY, 'bad $and format - use an array value');
} }
if (value.some(subQuery => subQuery.ACL)) {
throw new Parse.Error(Parse.Error.INVALID_QUERY, 'Cannot query on ACL.');
}
return {key: '$and', value: value.map(subQuery => transformWhere(className, subQuery, {}, schema))}; return {key: '$and', value: value.map(subQuery => transformWhere(className, subQuery, {}, schema))};
default: default:
// Other auth data // Other auth data
@@ -224,9 +230,6 @@ function transformQueryKeyValue(className, key, value, schema) {
const specialQuerykeys = ['$and', '$or', '_rperm', '_wperm', '_perishable_token', '_email_verify_token']; const specialQuerykeys = ['$and', '$or', '_rperm', '_wperm', '_perishable_token', '_email_verify_token'];
function transformWhere(className, restWhere, { validate = true } = {}, schema) { function transformWhere(className, restWhere, { validate = true } = {}, schema) {
let mongoWhere = {}; let mongoWhere = {};
if (restWhere['ACL']) {
throw new Parse.Error(Parse.Error.INVALID_QUERY, 'Cannot query on ACL.');
}
for (let restKey in restWhere) { for (let restKey in restWhere) {
if (validate && !specialQuerykeys.includes(restKey) && !restKey.match(/^[a-zA-Z][a-zA-Z0-9_\.]*$/)) { if (validate && !specialQuerykeys.includes(restKey) && !restKey.match(/^[a-zA-Z][a-zA-Z0-9_\.]*$/)) {
throw new Parse.Error(Parse.Error.INVALID_KEY_NAME, `Invalid key name: ${restKey}`); throw new Parse.Error(Parse.Error.INVALID_KEY_NAME, `Invalid key name: ${restKey}`);

6
src/Controllers/DatabaseController.js
View File

@@ -184,6 +184,9 @@ DatabaseController.prototype.update = function(className, query, update, {
throw error; throw error;
}) })
.then(parseFormatSchema => { .then(parseFormatSchema => {
if (query.ACL) {
throw new Parse.Error(Parse.Error.INVALID_QUERY, 'Cannot query on ACL.');
}
var mongoWhere = this.transform.transformWhere(className, query, {validate: !this.skipValidation}, parseFormatSchema); var mongoWhere = this.transform.transformWhere(className, query, {validate: !this.skipValidation}, parseFormatSchema);
mongoUpdate = this.transform.transformUpdate( mongoUpdate = this.transform.transformUpdate(
schemaController, schemaController,
@@ -668,6 +671,9 @@ DatabaseController.prototype.find = function(className, query, {
if (!isMaster) { if (!isMaster) {
query = addReadACL(query, aclGroup); query = addReadACL(query, aclGroup);
} }
if (query.ACL) {
throw new Parse.Error(Parse.Error.INVALID_QUERY, 'Cannot query on ACL.');
}
let mongoWhere = this.transform.transformWhere(className, query, {}, schema); let mongoWhere = this.transform.transformWhere(className, query, {}, schema);
if (count) { if (count) {
delete mongoOptions.limit; delete mongoOptions.limit;