Do not allow to protect default fields (#6439)

* consider default columns * disallow protecting default fields
2020-02-29 02:52:48 +03:00
parent 4291f2b22a
commit 6b0efaeffd
2 changed files with 28 additions and 3 deletions
--- a/spec/ProtectedFields.spec.js
+++ b/spec/ProtectedFields.spec.js
@@ -777,7 +777,7 @@ describe('ProtectedFields', function() {
      object.set('revision', 0);
      object.set('test', 'test');

-      await object.save({ useMasterKey: true });
+      await object.save(null, { useMasterKey: true });
    }

    beforeEach(async () => {
@@ -812,6 +812,24 @@ describe('ProtectedFields', function() {
        })
      ).toBeResolved();
    });
+
+    it('should not allow protecting default fields', async () => {
+      const defaultFields = ['objectId', 'createdAt', 'updatedAt', 'ACL'];
+      for (const field of defaultFields) {
+        await expectAsync(
+          updateCLP({
+            protectedFields: {
+              '*': [field],
+            },
+          })
+        ).toBeRejectedWith(
+          new Parse.Error(
+            Parse.Error.INVALID_JSON,
+            `Default field '${field}' can not be protected`
+          )
+        );
+      }
+    });
  });

  describe('targeting public access', () => {
@@ -1310,10 +1328,10 @@ describe('ProtectedFields', function() {

      // admin supersets moder role
      moder.relation('roles').add(admin);
-      await moder.save({ useMasterKey: true });
+      await moder.save(null, { useMasterKey: true });

      tester.relation('roles').add(moder);
-      await tester.save({ useMasterKey: true });
+      await tester.save(null, { useMasterKey: true });

      const roleAdmin = `role:${admin.get('name')}`;
      const roleModer = `role:${moder.get('name')}`;
--- a/src/Controllers/SchemaController.js
+++ b/src/Controllers/SchemaController.js
@@ -307,6 +307,13 @@ function validateCLP(

        // if the field is in form of array
        for (const field of protectedFields) {
+          // do not alloow to protect default fields
+          if (defaultColumns._Default[field]) {
+            throw new Parse.Error(
+              Parse.Error.INVALID_JSON,
+              `Default field '${field}' can not be protected`
+            );
+          }
          // field should exist on collection
          if (!Object.prototype.hasOwnProperty.call(fields, field)) {
            throw new Parse.Error(