Fix LiveQuery unsafe user (#3525)
* LiveQuery should not use unsafe user setting * server should issue queries with the master key
This commit is contained in:
David Starke
committed by
Florent Vilmart
Florent Vilmart
parent
58bdeeee2d
commit
a520ea0243
@@ -4,13 +4,14 @@ describe('SessionTokenCache', function() {
|
|||||||
|
|
||||||
beforeEach(function(done) {
|
beforeEach(function(done) {
|
||||||
var Parse = require('parse/node');
|
var Parse = require('parse/node');
|
||||||
// Mock parse
|
|
||||||
var mockUser = {
|
spyOn(Parse, "Query").and.returnValue({
|
||||||
become: jasmine.createSpy('become').and.returnValue(Parse.Promise.as({
|
first: jasmine.createSpy("first").and.returnValue(Parse.Promise.as(new Parse.Object("_Session", {
|
||||||
id: 'userId'
|
user: new Parse.User({id:"userId"})
|
||||||
}))
|
}))),
|
||||||
}
|
equalTo: function(){}
|
||||||
jasmine.mockLibrary('parse/node', 'User', mockUser);
|
})
|
||||||
|
|
||||||
done();
|
done();
|
||||||
});
|
});
|
||||||
|
|
||||||
@@ -46,7 +47,4 @@ describe('SessionTokenCache', function() {
|
|||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
afterEach(function() {
|
|
||||||
jasmine.restoreLibrary('parse/node', 'User');
|
|
||||||
});
|
|
||||||
});
|
});
|
||||||
|
|||||||
@@ -37,7 +37,6 @@ class ParseLiveQueryServer {
|
|||||||
|
|
||||||
// Initialize Parse
|
// Initialize Parse
|
||||||
Parse.Object.disableSingleInstance();
|
Parse.Object.disableSingleInstance();
|
||||||
Parse.User.enableUnsafeCurrentUser();
|
|
||||||
|
|
||||||
const serverURL = config.serverURL || Parse.serverURL;
|
const serverURL = config.serverURL || Parse.serverURL;
|
||||||
Parse.serverURL = serverURL;
|
Parse.serverURL = serverURL;
|
||||||
@@ -363,7 +362,7 @@ class ParseLiveQueryServer {
|
|||||||
// Then get the user's roles
|
// Then get the user's roles
|
||||||
var rolesQuery = new Parse.Query(Parse.Role);
|
var rolesQuery = new Parse.Query(Parse.Role);
|
||||||
rolesQuery.equalTo("users", user);
|
rolesQuery.equalTo("users", user);
|
||||||
return rolesQuery.find();
|
return rolesQuery.find({useMasterKey:true});
|
||||||
}).
|
}).
|
||||||
then((roles) => {
|
then((roles) => {
|
||||||
|
|
||||||
|
|||||||
@@ -2,6 +2,17 @@ import Parse from 'parse/node';
|
|||||||
import LRU from 'lru-cache';
|
import LRU from 'lru-cache';
|
||||||
import logger from '../logger';
|
import logger from '../logger';
|
||||||
|
|
||||||
|
function userForSessionToken(sessionToken){
|
||||||
|
var q = new Parse.Query("_Session");
|
||||||
|
q.equalTo("sessionToken", sessionToken);
|
||||||
|
return q.first({useMasterKey:true}).then(function(session){
|
||||||
|
if(!session){
|
||||||
|
return Parse.Promise.error("No session found for session token");
|
||||||
|
}
|
||||||
|
return session.get("user");
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
class SessionTokenCache {
|
class SessionTokenCache {
|
||||||
cache: Object;
|
cache: Object;
|
||||||
|
|
||||||
@@ -21,7 +32,7 @@ class SessionTokenCache {
|
|||||||
logger.verbose('Fetch userId %s of sessionToken %s from Cache', userId, sessionToken);
|
logger.verbose('Fetch userId %s of sessionToken %s from Cache', userId, sessionToken);
|
||||||
return Parse.Promise.as(userId);
|
return Parse.Promise.as(userId);
|
||||||
}
|
}
|
||||||
return Parse.User.become(sessionToken).then((user) => {
|
return userForSessionToken(sessionToken).then((user) => {
|
||||||
logger.verbose('Fetch userId %s of sessionToken %s from Parse', user.id, sessionToken);
|
logger.verbose('Fetch userId %s of sessionToken %s from Parse', user.id, sessionToken);
|
||||||
const userId = user.id;
|
const userId = user.id;
|
||||||
this.cache.set(sessionToken, userId);
|
this.cache.set(sessionToken, userId);
|
||||||
|
|||||||
Reference in New Issue
Block a user