Updates based on review
This commit is contained in:
awgeorge
Arthur Cinader
@@ -687,7 +687,7 @@ describe('SchemaController', () => {
|
||||
});
|
||||
});
|
||||
|
||||
it('refuses to add CLP with incorrect protectedFields', done => {
|
||||
it('refuses to add CLP when incorrectly sending a string to protectedFields object value instead of an array', done => {
|
||||
const levelPermissions = {
|
||||
find: { '*': true },
|
||||
get: { '*': true },
|
||||
|
||||
@@ -522,8 +522,8 @@ describe('Personally Identifiable Information', () => {
|
||||
.catch(done.fail);
|
||||
});
|
||||
|
||||
// Explict ACL should be able to read sensitive information
|
||||
describe('with privilaged user no CLP', () => {
|
||||
// Explicit ACL should be able to read sensitive information
|
||||
describe('with privileged user no CLP', () => {
|
||||
let adminUser;
|
||||
|
||||
beforeEach(async done => {
|
||||
@@ -748,21 +748,18 @@ describe('Personally Identifiable Information', () => {
|
||||
protectedFields: {
|
||||
_User: { '*': ['ssn', 'zip'], 'role:Administrator': [] },
|
||||
},
|
||||
}).then(() => done());
|
||||
}).then(done);
|
||||
});
|
||||
|
||||
it('should be able to get own PII via API with object', done => {
|
||||
const userObj = new (Parse.Object.extend(Parse.User))();
|
||||
userObj.id = user.id;
|
||||
userObj.fetch().then(
|
||||
fetchedUser => {
|
||||
expect(fetchedUser.get('email')).toBe(EMAIL);
|
||||
expect(fetchedUser.get('zip')).toBe(ZIP);
|
||||
expect(fetchedUser.get('ssn')).toBe(SSN);
|
||||
done();
|
||||
},
|
||||
e => done.fail(e)
|
||||
);
|
||||
userObj.fetch().then(fetchedUser => {
|
||||
expect(fetchedUser.get('email')).toBe(EMAIL);
|
||||
expect(fetchedUser.get('zip')).toBe(ZIP);
|
||||
expect(fetchedUser.get('ssn')).toBe(SSN);
|
||||
done();
|
||||
}, done.fail);
|
||||
});
|
||||
|
||||
it('should not be able to get PII via API with object', done => {
|
||||
@@ -997,7 +994,7 @@ describe('Personally Identifiable Information', () => {
|
||||
.catch(done.fail);
|
||||
});
|
||||
|
||||
// Explict ACL should be able to read sensitive information
|
||||
// Explicit ACL should be able to read sensitive information
|
||||
describe('with privilaged user CLP', () => {
|
||||
let adminUser;
|
||||
|
||||
|
||||
@@ -1439,7 +1439,7 @@ class DatabaseController {
|
||||
[...(auth.userRoles || [])].forEach(role => {
|
||||
const fields = protectedFields[role];
|
||||
if (fields) {
|
||||
protectedKeys = protectedKeys.filter(v => fields.includes(v));
|
||||
protectedKeys = protectedKeys.filter(fields.includes);
|
||||
}
|
||||
});
|
||||
|
||||
|
||||
@@ -352,6 +352,7 @@ function injectDefaults(options: ParseServerOptions) {
|
||||
console.warn(
|
||||
`\nDEPRECATED: userSensitiveFields has been replaced by protectedFields allowing the ability to protect fields in all classes with CLP. \n`
|
||||
);
|
||||
/* eslint-enable no-console */
|
||||
|
||||
const userSensitiveFields = Array.from(
|
||||
new Set([
|
||||
@@ -360,7 +361,6 @@ function injectDefaults(options: ParseServerOptions) {
|
||||
])
|
||||
);
|
||||
|
||||
/* eslint-enable no-console */
|
||||
options.protectedFields = { _User: { '*': userSensitiveFields } };
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user