Ensure users with undefined ACL are treated as readable (#4795)

* Adds test to reproduce issue #4790 * Attempt to allow failure on node STABLE * Use new format for apt packages
2018-05-30 12:55:15 -04:00
parent f4422c491e
commit 9bff44b446
3 changed files with 44 additions and 3 deletions
--- a/.travis.yml
+++ b/.travis.yml
@@ -7,7 +7,8 @@ services:
  - docker
 addons:
  postgresql: '9.5'
-  apt_packages:
+  apt:
+    packages:
      - postgresql-9.5-postgis-2.3
 branches:
  only:
@@ -32,6 +33,9 @@ env:
  - PARSE_SERVER_TEST_DB=postgres
  - PARSE_SERVER_TEST_CACHE=redis
  - NODE_VERSION=stable
+matrix:
+  allow_failures:
+    - env: NODE_VERSION=stable
 before_install:
 - nvm install $NODE_VERSION
 - nvm use $NODE_VERSION
--- a/spec/ParseUser.spec.js
+++ b/spec/ParseUser.spec.js
@@ -7,6 +7,7 @@

 "use strict";

+import MongoStorageAdapter from '../src/Adapters/Storage/Mongo/MongoStorageAdapter';
 const request = require('request');
 const passwordCrypto = require('../src/password');
 const Config = require('../src/Config');
@@ -239,6 +240,41 @@ describe('Parse.User testing', () => {
    });
  });

+  it_only_db('mongo')('should let legacy users without ACL login', async() => {
+    const databaseURI = 'mongodb://localhost:27017/parseServerMongoAdapterTestDatabase';
+    const adapter = new MongoStorageAdapter({ collectionPrefix: 'test_', uri: databaseURI });
+    await adapter.connect();
+    await adapter.database.dropDatabase();
+    delete adapter.connectionPromise;
+
+    const user = new Parse.User();
+    await user.signUp({
+      username: 'newUser',
+      password: 'password',
+    });
+
+    const collection = await adapter._adaptiveCollection('_User');
+    await collection.insertOne({
+      // the hashed password is 'password' hashed
+      "_hashed_password": "$2b$10$mJ2ca2UbCM9hlojYHZxkQe8pyEXe5YMg0nMdvP4AJBeqlTEZJ6/Uu",
+      "_session_token": "xxx",
+      "email": "xxx@a.b",
+      "username": "oldUser",
+      "emailVerified": true,
+      "_email_verify_token": "yyy",
+    });
+
+    // get the 2 users
+    const users = await collection.find();
+    expect(users.length).toBe(2);
+
+    const aUser = await Parse.User.logIn('oldUser', 'password');
+    expect(aUser).not.toBeUndefined();
+
+    const newUser = await Parse.User.logIn('newUser', 'password');
+    expect(newUser).not.toBeUndefined();
+  });
+
  it('should be let masterKey lock user out with authData', (done) => {
    let objectId;
    let sessionToken;
--- a/src/Routers/UsersRouter.js
+++ b/src/Routers/UsersRouter.js
@@ -117,7 +117,8 @@ export class UsersRouter extends ClassesRouter {
        // Ensure the user isn't locked out
        // A locked out user won't be able to login
        // To lock a user out, just set the ACL to `masterKey` only  ({}).
-        if (!req.auth.isMaster && (!user.ACL || Object.keys(user.ACL).length == 0)) {
+        // Empty ACL is OK
+        if (!req.auth.isMaster && user.ACL && Object.keys(user.ACL).length == 0) {
          throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, 'Invalid username/password.');
        }
        if (req.config.verifyUserEmails && req.config.preventLoginWithUnverifiedEmail && !user.emailVerified) {