joe/kami-parse-server
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Set default protectedFields and remove previous filter logic

Browse Source
This commit is contained in:
awgeorge
2019-01-28 07:50:21 +00:00
committed by Arthur Cinader
parent 95831a5b22
commit b343de0c70
8 changed files with 91 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
spec/MongoSchemaCollectionAdapter.spec.js
View File

@@ -23,6 +23,7 @@ describe('MongoSchemaCollection', () => {
create: { '*': true },
delete: { '*': true },
addField: { '*': true },
protectedFields: { '*': [] },
},
indexes: {
name1: { deviceToken: 1 },
@@ -72,6 +73,7 @@ describe('MongoSchemaCollection', () => {
update: { '*': true },
delete: { '*': true },
addField: { '*': true },
protectedFields: { '*': [] },
},
indexes: {
name1: { deviceToken: 1 },

4
spec/ParseLiveQueryServer.spec.js
View File

@@ -257,6 +257,7 @@ describe('ParseLiveQueryServer', function() {
find: {},
update: {},
delete: { '*': true },
protectedFields: {},
});
expect(deleteSpy).toHaveBeenCalled();
@@ -270,6 +271,7 @@ describe('ParseLiveQueryServer', function() {
find: {},
update: {},
delete: { '*': true },
protectedFields: {},
});
done();
})
@@ -1920,6 +1922,7 @@ describe('LiveQueryController', () => {
find: {},
update: {},
delete: { '*': true },
protectedFields: {},
});
expect(deleteSpy).toHaveBeenCalled();
@@ -1933,6 +1936,7 @@ describe('LiveQueryController', () => {
find: {},
update: {},
delete: { '*': true },
protectedFields: {},
});
done();
})

70
spec/Schema.spec.js
View File

@@ -320,6 +320,7 @@ describe('SchemaController', () => {
update: { '*': true },
delete: { '*': true },
addField: { '*': true },
protectedFields: { '*': [] },
},
};
expect(dd(actualSchema, expectedSchema)).toEqual(undefined);
@@ -338,6 +339,7 @@ describe('SchemaController', () => {
update: { '*': true },
delete: { '*': true },
addField: { '*': true },
protectedFields: { '*': [] },
};
config.database.loadSchema().then(schema => {
schema
@@ -461,6 +463,7 @@ describe('SchemaController', () => {
update: { '*': true },
delete: { '*': true },
addField: { '*': true },
protectedFields: { '*': [] },
},
};
expect(dd(actualSchema, expectedSchema)).toEqual(undefined);
@@ -653,6 +656,68 @@ describe('SchemaController', () => {
});
});
it('refuses to add CLP with incorrect find', done => {
const levelPermissions = {
find: { '*': false },
get: { '*': true },
create: { '*': true },
update: { '*': true },
delete: { '*': true },
addField: { '*': true },
protectedFields: { '*': ['email'] },
};
config.database.loadSchema().then(schema => {
schema
.validateObject('NewClass', {})
.then(() => schema.reloadData())
.then(() =>
schema.updateClass(
'NewClass',
{},
levelPermissions,
{},
config.database
)
)
.then(done.fail)
.catch(error => {
expect(error.code).toEqual(Parse.Error.INVALID_JSON);
done();
});
});
});
it('refuses to add CLP with incorrect protectedFields', done => {
const levelPermissions = {
find: { '*': true },
get: { '*': true },
create: { '*': true },
update: { '*': true },
delete: { '*': true },
addField: { '*': true },
protectedFields: { '*': 'email' },
};
config.database.loadSchema().then(schema => {
schema
.validateObject('NewClass', {})
.then(() => schema.reloadData())
.then(() =>
schema.updateClass(
'NewClass',
{},
levelPermissions,
{},
config.database
)
)
.then(done.fail)
.catch(error => {
expect(error.code).toEqual(Parse.Error.INVALID_JSON);
done();
});
});
});
it('will create classes', done => {
config.database
.loadSchema()
@@ -706,6 +771,7 @@ describe('SchemaController', () => {
update: { '*': true },
delete: { '*': true },
addField: { '*': true },
protectedFields: { '*': [] },
},
};
expect(dd(actualSchema, expectedSchema)).toEqual(undefined);
@@ -751,6 +817,7 @@ describe('SchemaController', () => {
update: { '*': true },
delete: { '*': true },
addField: { '*': true },
protectedFields: { '*': [] },
},
};
expect(dd(actualSchema, expectedSchema)).toEqual(undefined);
@@ -782,6 +849,7 @@ describe('SchemaController', () => {
update: { '*': true },
delete: { '*': true },
addField: { '*': true },
protectedFields: { '*': [] },
},
};
expect(dd(actualSchema, expectedSchema)).toEqual(undefined);
@@ -815,6 +883,7 @@ describe('SchemaController', () => {
update: { '*': true },
delete: { '*': true },
addField: { '*': true },
protectedFields: { '*': [] },
},
};
expect(dd(actualSchema, expectedSchema)).toEqual(undefined);
@@ -1002,6 +1071,7 @@ describe('SchemaController', () => {
update: { '*': true },
delete: { '*': true },
addField: { '*': true },
protectedFields: { '*': [] },
},
};
expect(dd(actualSchema, expectedSchema)).toEqual(undefined);

5
spec/schemas.spec.js
View File

@@ -45,6 +45,9 @@ const defaultClassLevelPermissions = {
delete: {
'*': true,
},
protectedFields: {
'*': [],
},
};
const plainOldDataSchema = {
@@ -1141,6 +1144,7 @@ describe('schemas', () => {
update: {},
delete: {},
addField: {},
protectedFields: {},
});
done();
});
@@ -2037,6 +2041,7 @@ describe('schemas', () => {
update: {},
delete: {},
addField: {},
protectedFields: {},
});
})
.then(done)

2
src/Adapters/Storage/Mongo/MongoSchemaCollection.js
View File

@@ -62,6 +62,7 @@ const emptyCLPS = Object.freeze({
update: {},
delete: {},
addField: {},
protectedFields: {},
});
const defaultCLPS = Object.freeze({
@@ -71,6 +72,7 @@ const defaultCLPS = Object.freeze({
update: { '*': true },
delete: { '*': true },
addField: { '*': true },
protectedFields: { '*': [] },
});
function mongoSchemaToParseSchema(mongoSchema) {

2
src/Adapters/Storage/Postgres/PostgresStorageAdapter.js
View File

@@ -106,6 +106,7 @@ const emptyCLPS = Object.freeze({
update: {},
delete: {},
addField: {},
protectedFields: {},
});
const defaultCLPS = Object.freeze({
@@ -115,6 +116,7 @@ const defaultCLPS = Object.freeze({
update: { '*': true },
delete: { '*': true },
addField: { '*': true },
protectedFields: { '*': [] },
});
const toParseSchema = schema => {

6
src/Controllers/SchemaController.js
View File

@@ -203,6 +203,7 @@ const CLPValidKeys = Object.freeze([
'addField',
'readUserFields',
'writeUserFields',
'protectedFields',
]);
function validateCLP(perms: ClassLevelPermissions, fields: SchemaFields) {
if (!perms) {
@@ -250,7 +251,10 @@ function validateCLP(perms: ClassLevelPermissions, fields: SchemaFields) {
verifyPermissionKey(key);
// @flow-disable-next
const perm = perms[operation][key];
if (perm !== true) {
if (
perm !== true &&
(operation !== 'protectedFields' || !Array.isArray(perm))
) {
// @flow-disable-next
throw new Parse.Error(
Parse.Error.INVALID_JSON,

14
src/RestQuery.js
View File

@@ -565,19 +565,8 @@ RestQuery.prototype.replaceDontSelect = function() {
});
};
const cleanResultOfSensitiveUserInfo = function(result, auth, config) {
delete result.password;
if (auth.isMaster || (auth.user && auth.user.id === result.objectId)) {
return;
}
for (const field of config.userSensitiveFields) {
delete result[field];
}
};
const cleanResultAuthData = function(result) {
delete result.password;
if (result.authData) {
Object.keys(result.authData).forEach(provider => {
if (result.authData[provider] === null) {
@@ -645,7 +634,6 @@ RestQuery.prototype.runFind = function(options = {}) {
.then(results => {
if (this.className === '_User') {
for (var result of results) {
cleanResultOfSensitiveUserInfo(result, this.auth, this.config);
cleanResultAuthData(result);
}
}