Validates permission before calling beforeSave trigger (#5546)

* Test to reproduce the problem * Validating update before calling beforeSave trigger * Fixing lint * Commenting code * Improving the code
2019-05-11 10:37:27 -07:00
parent 2cc21bf1f2
commit 90c81c1750
3 changed files with 268 additions and 2 deletions
--- a/src/Controllers/DatabaseController.js
+++ b/src/Controllers/DatabaseController.js
@@ -476,7 +476,8 @@ class DatabaseController {
    query: any,
    update: any,
    { acl, many, upsert }: FullQueryOptions = {},
-    skipSanitization: boolean = false
+    skipSanitization: boolean = false,
+    validateOnly: boolean = false
  ): Promise<any> {
    const originalQuery = query;
    const originalUpdate = update;
@@ -557,6 +558,19 @@ class DatabaseController {
              }
              update = transformObjectACL(update);
              transformAuthData(className, update, schema);
+              if (validateOnly) {
+                return this.adapter
+                  .find(className, schema, query, {})
+                  .then(result => {
+                    if (!result || !result.length) {
+                      throw new Parse.Error(
+                        Parse.Error.OBJECT_NOT_FOUND,
+                        'Object not found.'
+                      );
+                    }
+                    return {};
+                  });
+              }
              if (many) {
                return this.adapter.updateObjectsByQuery(
                  className,
@@ -588,6 +602,9 @@ class DatabaseController {
              'Object not found.'
            );
          }
+          if (validateOnly) {
+            return result;
+          }
          return this.handleRelationUpdates(
            className,
            originalQuery.objectId,
@@ -802,7 +819,8 @@ class DatabaseController {
  create(
    className: string,
    object: any,
-    { acl }: QueryOptions = {}
+    { acl }: QueryOptions = {},
+    validateOnly: boolean = false
  ): Promise<any> {
    // Make a copy of the object, so we don't mutate the incoming data.
    const originalObject = object;
@@ -831,6 +849,9 @@ class DatabaseController {
          .then(schema => {
            transformAuthData(className, object, schema);
            flattenUpdateOperatorsForCreate(object);
+            if (validateOnly) {
+              return {};
+            }
            return this.adapter.createObject(
              className,
              SchemaController.convertSchemaToAdapterSchema(schema),
@@ -838,6 +859,9 @@ class DatabaseController {
            );
          })
          .then(result => {
+            if (validateOnly) {
+              return originalObject;
+            }
            return this.handleRelationUpdates(
              className,
              object.objectId,