Fixes issue #3835 affecting relation updates (#3836)

* Adds test for 3835 * Makes sure we run relational updates AFTER validating access to the object * Always run relation udpates last
2017-05-22 12:34:00 -04:00
parent 03b6449fe1
commit b5a2042d12
2 changed files with 68 additions and 20 deletions
--- a/spec/ParseRole.spec.js
+++ b/spec/ParseRole.spec.js
@@ -428,4 +428,24 @@ describe('Parse Role testing', () => {
    });
  });

+  it('should be secure (#3835)', (done) => {
+    const acl = new Parse.ACL();
+    acl.getPublicReadAccess(true);
+    const role = new Parse.Role('admin', acl);
+    role.save().then(() => {
+      const user = new Parse.User();
+      return user.signUp({username: 'hello', password: 'world'});
+    }).then((user) => {
+      role.getUsers().add(user)
+      return role.save();
+    }).then(done.fail, () => {
+      const query = role.getUsers().query();
+      return query.find({useMasterKey: true});
+    }).then((results) => {
+      expect(results.length).toBe(0);
+      done();
+    })
+    .catch(done.fail);
+  });
+
 });