joe/kami-parse-server
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Do not allow to protect default fields (#6439)

Browse Source 
* consider default columns

* disallow protecting default fields
This commit is contained in:
Old Grandpa
2020-02-29 02:52:48 +03:00
committed by GitHub
parent 4291f2b22a
commit 6b0efaeffd
2 changed files with 28 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
spec/ProtectedFields.spec.js
View File

@@ -777,7 +777,7 @@ describe('ProtectedFields', function() {
object.set('revision', 0); object.set('revision', 0);
object.set('test', 'test'); object.set('test', 'test');
await object.save({ useMasterKey: true }); await object.save(null, { useMasterKey: true });
} }
beforeEach(async () => { beforeEach(async () => {
@@ -812,6 +812,24 @@ describe('ProtectedFields', function() {
}) })
).toBeResolved(); ).toBeResolved();
}); });
it('should not allow protecting default fields', async () => {
const defaultFields = ['objectId', 'createdAt', 'updatedAt', 'ACL'];
for (const field of defaultFields) {
await expectAsync(
updateCLP({
protectedFields: {
'*': [field],
},
})
).toBeRejectedWith(
new Parse.Error(
Parse.Error.INVALID_JSON,
`Default field '${field}' can not be protected`
)
);
}
});
}); });
describe('targeting public access', () => { describe('targeting public access', () => {
@@ -1310,10 +1328,10 @@ describe('ProtectedFields', function() {
// admin supersets moder role // admin supersets moder role
moder.relation('roles').add(admin); moder.relation('roles').add(admin);
await moder.save({ useMasterKey: true }); await moder.save(null, { useMasterKey: true });
tester.relation('roles').add(moder); tester.relation('roles').add(moder);
await tester.save({ useMasterKey: true }); await tester.save(null, { useMasterKey: true });
const roleAdmin = `role:${admin.get('name')}`; const roleAdmin = `role:${admin.get('name')}`;
const roleModer = `role:${moder.get('name')}`; const roleModer = `role:${moder.get('name')}`;

7
src/Controllers/SchemaController.js
View File

@@ -307,6 +307,13 @@ function validateCLP(
// if the field is in form of array // if the field is in form of array
for (const field of protectedFields) { for (const field of protectedFields) {
// do not alloow to protect default fields
if (defaultColumns._Default[field]) {
throw new Parse.Error(
Parse.Error.INVALID_JSON,
`Default field '${field}' can not be protected`
);
}
// field should exist on collection // field should exist on collection
if (!Object.prototype.hasOwnProperty.call(fields, field)) { if (!Object.prototype.hasOwnProperty.call(fields, field)) {
throw new Parse.Error( throw new Parse.Error(