"Object not found." instead of "Insufficient auth." when using master key (#5133)

* add additional isMaster check * adding some tests * nits * covering all basis
2018-10-23 02:33:43 +03:00
parent de79b70cbc
commit 961abda4eb
2 changed files with 38 additions and 3 deletions
--- a/spec/ParseUser.spec.js
+++ b/spec/ParseUser.spec.js
@@ -3314,7 +3314,9 @@ describe('Parse.User testing', () => {
        done();
      });
    });
-  }).pend('this test fails.  See: https://github.com/parse-community/parse-server/issues/5097');
+  }).pend(
+    'this test fails.  See: https://github.com/parse-community/parse-server/issues/5097'
+  );

  it('should be able to update user with authData passed', done => {
    let objectId;
@@ -3686,6 +3688,35 @@ describe('Parse.User testing', () => {
      .then(done, done.fail);
  });

+  it('should throw OBJECT_NOT_FOUND instead of SESSION_MISSING when using masterKey', async () => {
+    // create a fake user (just so we simulate an object not found)
+    const non_existent_user = Parse.User.createWithoutData('fake_id');
+    try {
+      await non_existent_user.destroy({ useMasterKey: true });
+      throw '';
+    } catch (e) {
+      expect(e.code).toBe(Parse.Error.OBJECT_NOT_FOUND);
+    }
+    try {
+      await non_existent_user.save({}, { useMasterKey: true });
+      throw '';
+    } catch (e) {
+      expect(e.code).toBe(Parse.Error.OBJECT_NOT_FOUND);
+    }
+    try {
+      await non_existent_user.save();
+      throw '';
+    } catch (e) {
+      expect(e.code).toBe(Parse.Error.SESSION_MISSING);
+    }
+    try {
+      await non_existent_user.destroy();
+      throw '';
+    } catch (e) {
+      expect(e.code).toBe(Parse.Error.SESSION_MISSING);
+    }
+  });
+
  describe('issue #4897', () => {
    it_only_db('mongo')(
      'should be able to login with a legacy user (no ACL)',
--- a/src/rest.js
+++ b/src/rest.js
@@ -250,9 +250,13 @@ function update(config, auth, className, restWhere, restObject, clientSDK) {
    });
 }

-function handleSessionMissingError(error, className) {
+function handleSessionMissingError(error, className, auth) {
  // If we're trying to update a user without / with bad session token
-  if (className === '_User' && error.code === Parse.Error.OBJECT_NOT_FOUND) {
+  if (
+    className === '_User' &&
+    error.code === Parse.Error.OBJECT_NOT_FOUND &&
+    !auth.isMaster
+  ) {
    throw new Parse.Error(Parse.Error.SESSION_MISSING, 'Insufficient auth.');
  }
  throw error;