joe/kami-parse-server
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: volatileClasses are masterKey only (#3916)

Browse Source 
* volatileClass should respect the schema if defined

* masterKey only for the volatileClasses

* add some test …
This commit is contained in:
Worathiti Manosroi
2017-06-13 16:36:40 +02:00
committed by Florent Vilmart
parent c4fbc1f358
commit 7d70af60ba
4 changed files with 40 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
spec/PushController.spec.js
View File

@@ -395,7 +395,6 @@ describe('PushController', () => {
}); });
it('properly creates _PushStatus', (done) => { it('properly creates _PushStatus', (done) => {
var installations = []; var installations = [];
while(installations.length != 10) { while(installations.length != 10) {
const installation = new Parse.Object("_Installation"); const installation = new Parse.Object("_Installation");
@@ -436,7 +435,7 @@ describe('PushController', () => {
reconfigureServer({ reconfigureServer({
push: { adapter: pushAdapter } push: { adapter: pushAdapter }
}).then(() => { }).then(() => {
return Parse.Object.saveAll(installations) return Parse.Object.saveAll(installations);
}) })
.then(() => { .then(() => {
return pushController.sendPush(payload, {}, config, auth); return pushController.sendPush(payload, {}, config, auth);
@@ -472,8 +471,8 @@ describe('PushController', () => {
// Try to get it without masterKey // Try to get it without masterKey
const query = new Parse.Query('_PushStatus'); const query = new Parse.Query('_PushStatus');
return query.find(); return query.find();
}).then((results) => { }).catch((error) => {
expect(results.length).toBe(0); expect(error.code).toBe(119);
done(); done();
}); });
}); });

29
spec/rest.spec.js
View File

@@ -420,6 +420,35 @@ describe('rest create', () => {
done(); done();
}) })
}); });
it("can create object in volatileClasses if masterKey", (done) =>{
rest.create(config, auth.master(config), '_PushStatus', {})
.then((r) => {
expect(r.response.objectId.length).toBe(10);
})
.then(() => {
rest.create(config, auth.master(config), '_JobStatus', {})
.then((r) => {
expect(r.response.objectId.length).toBe(10);
done();
})
})
});
it("cannot create object in volatileClasses if not masterKey", (done) =>{
Promise.resolve()
.then(() => {
rest.create(config, auth.nobody(config), '_PushStatus', {})
})
.then((r) => {
console.log(r);
})
.catch((error) => {
expect(error.code).toEqual(119);
done();
})
})
}); });
describe('rest update', () => { describe('rest update', () => {

1
src/Controllers/SchemaController.js
View File

@@ -793,6 +793,7 @@ export default class SchemaController {
// Validates an operation passes class-level-permissions set in the schema // Validates an operation passes class-level-permissions set in the schema
validatePermission(className, aclGroup, operation) { validatePermission(className, aclGroup, operation) {
if (this.testBaseCLP(className, aclGroup, operation)) { if (this.testBaseCLP(className, aclGroup, operation)) {
return Promise.resolve(); return Promise.resolve();
} }

7
src/rest.js
View File

@@ -142,6 +142,13 @@ function enforceRoleSecurity(method, className, auth) {
throw new Parse.Error(Parse.Error.OPERATION_FORBIDDEN, error); throw new Parse.Error(Parse.Error.OPERATION_FORBIDDEN, error);
} }
} }
//all volatileClasses are masterKey only
const volatileClasses = ['_JobStatus', '_PushStatus', '_Hooks', '_GlobalConfig'];
if(volatileClasses.includes(className) && !auth.isMaster){
const error = `Clients aren't allowed to perform the ${method} operation on the ${className} collection.`
throw new Parse.Error(Parse.Error.OPERATION_FORBIDDEN, error);
}
} }
module.exports = { module.exports = {