From 9bff44b4469e39e38e43133f91d9cb39c337ed60 Mon Sep 17 00:00:00 2001 From: Florent Vilmart <364568+flovilmart@users.noreply.github.com> Date: Wed, 30 May 2018 12:55:15 -0400 Subject: [PATCH] Ensure users with undefined ACL are treated as readable (#4795) * Adds test to reproduce issue #4790 * Attempt to allow failure on node STABLE * Use new format for apt packages --- .travis.yml | 8 ++++++-- spec/ParseUser.spec.js | 36 ++++++++++++++++++++++++++++++++++++ src/Routers/UsersRouter.js | 3 ++- 3 files changed, 44 insertions(+), 3 deletions(-) diff --git a/.travis.yml b/.travis.yml index d174625a..672dbbbb 100644 --- a/.travis.yml +++ b/.travis.yml @@ -7,8 +7,9 @@ services: - docker addons: postgresql: '9.5' - apt_packages: - - postgresql-9.5-postgis-2.3 + apt: + packages: + - postgresql-9.5-postgis-2.3 branches: only: - master @@ -32,6 +33,9 @@ env: - PARSE_SERVER_TEST_DB=postgres - PARSE_SERVER_TEST_CACHE=redis - NODE_VERSION=stable +matrix: + allow_failures: + - env: NODE_VERSION=stable before_install: - nvm install $NODE_VERSION - nvm use $NODE_VERSION diff --git a/spec/ParseUser.spec.js b/spec/ParseUser.spec.js index 4ef675e1..a91ac5f8 100644 --- a/spec/ParseUser.spec.js +++ b/spec/ParseUser.spec.js @@ -7,6 +7,7 @@ "use strict"; +import MongoStorageAdapter from '../src/Adapters/Storage/Mongo/MongoStorageAdapter'; const request = require('request'); const passwordCrypto = require('../src/password'); const Config = require('../src/Config'); @@ -239,6 +240,41 @@ describe('Parse.User testing', () => { }); }); + it_only_db('mongo')('should let legacy users without ACL login', async() => { + const databaseURI = 'mongodb://localhost:27017/parseServerMongoAdapterTestDatabase'; + const adapter = new MongoStorageAdapter({ collectionPrefix: 'test_', uri: databaseURI }); + await adapter.connect(); + await adapter.database.dropDatabase(); + delete adapter.connectionPromise; + + const user = new Parse.User(); + await user.signUp({ + username: 'newUser', + password: 'password', + }); + + const collection = await adapter._adaptiveCollection('_User'); + await collection.insertOne({ + // the hashed password is 'password' hashed + "_hashed_password": "$2b$10$mJ2ca2UbCM9hlojYHZxkQe8pyEXe5YMg0nMdvP4AJBeqlTEZJ6/Uu", + "_session_token": "xxx", + "email": "xxx@a.b", + "username": "oldUser", + "emailVerified": true, + "_email_verify_token": "yyy", + }); + + // get the 2 users + const users = await collection.find(); + expect(users.length).toBe(2); + + const aUser = await Parse.User.logIn('oldUser', 'password'); + expect(aUser).not.toBeUndefined(); + + const newUser = await Parse.User.logIn('newUser', 'password'); + expect(newUser).not.toBeUndefined(); + }); + it('should be let masterKey lock user out with authData', (done) => { let objectId; let sessionToken; diff --git a/src/Routers/UsersRouter.js b/src/Routers/UsersRouter.js index e3b967ec..29f1efe5 100644 --- a/src/Routers/UsersRouter.js +++ b/src/Routers/UsersRouter.js @@ -117,7 +117,8 @@ export class UsersRouter extends ClassesRouter { // Ensure the user isn't locked out // A locked out user won't be able to login // To lock a user out, just set the ACL to `masterKey` only ({}). - if (!req.auth.isMaster && (!user.ACL || Object.keys(user.ACL).length == 0)) { + // Empty ACL is OK + if (!req.auth.isMaster && user.ACL && Object.keys(user.ACL).length == 0) { throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, 'Invalid username/password.'); } if (req.config.verifyUserEmails && req.config.preventLoginWithUnverifiedEmail && !user.emailVerified) {