fix: volatileClasses are masterKey only (#3916)

* volatileClass should respect the schema if defined

* masterKey only for the volatileClasses

* add some test …

src/Controllers/SchemaController.js

@@ -793,6 +793,7 @@ export default class SchemaController {
 
   // Validates an operation passes class-level-permissions set in the schema
   validatePermission(className, aclGroup, operation) {
+
     if (this.testBaseCLP(className, aclGroup, operation)) {
       return Promise.resolve();
     }

src/rest.js

@@ -142,6 +142,13 @@ function enforceRoleSecurity(method, className, auth) {
       throw new Parse.Error(Parse.Error.OPERATION_FORBIDDEN, error);
     }
   }
+
+  //all volatileClasses are masterKey only
+  const volatileClasses = ['_JobStatus', '_PushStatus', '_Hooks', '_GlobalConfig'];
+  if(volatileClasses.includes(className) && !auth.isMaster){
+    const error = `Clients aren't allowed to perform the ${method} operation on the ${className} collection.`
+    throw new Parse.Error(Parse.Error.OPERATION_FORBIDDEN, error);
+  }
 }
 
 module.exports = {