joe/kami-parse-server
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Updates based on review

Browse Source
This commit is contained in:
awgeorge
2019-02-22 09:45:22 +00:00
committed by Arthur Cinader
parent ff33c9939c
commit c5a5f57451
4 changed files with 13 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
spec/Schema.spec.js
View File

@@ -687,7 +687,7 @@ describe('SchemaController', () => {
}); });
}); });
it('refuses to add CLP with incorrect protectedFields', done => { it('refuses to add CLP when incorrectly sending a string to protectedFields object value instead of an array', done => {
const levelPermissions = { const levelPermissions = {
find: { '*': true }, find: { '*': true },
get: { '*': true }, get: { '*': true },

23
spec/UserPII.spec.js
View File

@@ -522,8 +522,8 @@ describe('Personally Identifiable Information', () => {
.catch(done.fail); .catch(done.fail);
}); });
// Explict ACL should be able to read sensitive information // Explicit ACL should be able to read sensitive information
describe('with privilaged user no CLP', () => { describe('with privileged user no CLP', () => {
let adminUser; let adminUser;
beforeEach(async done => { beforeEach(async done => {
@@ -748,21 +748,18 @@ describe('Personally Identifiable Information', () => {
protectedFields: { protectedFields: {
_User: { '*': ['ssn', 'zip'], 'role:Administrator': [] }, _User: { '*': ['ssn', 'zip'], 'role:Administrator': [] },
}, },
}).then(() => done()); }).then(done);
}); });
it('should be able to get own PII via API with object', done => { it('should be able to get own PII via API with object', done => {
const userObj = new (Parse.Object.extend(Parse.User))(); const userObj = new (Parse.Object.extend(Parse.User))();
userObj.id = user.id; userObj.id = user.id;
userObj.fetch().then( userObj.fetch().then(fetchedUser => {
fetchedUser => { expect(fetchedUser.get('email')).toBe(EMAIL);
expect(fetchedUser.get('email')).toBe(EMAIL); expect(fetchedUser.get('zip')).toBe(ZIP);
expect(fetchedUser.get('zip')).toBe(ZIP); expect(fetchedUser.get('ssn')).toBe(SSN);
expect(fetchedUser.get('ssn')).toBe(SSN); done();
done(); }, done.fail);
},
e => done.fail(e)
);
}); });
it('should not be able to get PII via API with object', done => { it('should not be able to get PII via API with object', done => {
@@ -997,7 +994,7 @@ describe('Personally Identifiable Information', () => {
.catch(done.fail); .catch(done.fail);
}); });
// Explict ACL should be able to read sensitive information // Explicit ACL should be able to read sensitive information
describe('with privilaged user CLP', () => { describe('with privilaged user CLP', () => {
let adminUser; let adminUser;

2
src/Controllers/DatabaseController.js
View File

@@ -1439,7 +1439,7 @@ class DatabaseController {
[...(auth.userRoles || [])].forEach(role => { [...(auth.userRoles || [])].forEach(role => {
const fields = protectedFields[role]; const fields = protectedFields[role];
if (fields) { if (fields) {
protectedKeys = protectedKeys.filter(v => fields.includes(v)); protectedKeys = protectedKeys.filter(fields.includes);
} }
}); });

2
src/ParseServer.js
View File

@@ -352,6 +352,7 @@ function injectDefaults(options: ParseServerOptions) {
console.warn( console.warn(
`\nDEPRECATED: userSensitiveFields has been replaced by protectedFields allowing the ability to protect fields in all classes with CLP. \n` `\nDEPRECATED: userSensitiveFields has been replaced by protectedFields allowing the ability to protect fields in all classes with CLP. \n`
); );
/* eslint-enable no-console */
const userSensitiveFields = Array.from( const userSensitiveFields = Array.from(
new Set([ new Set([
@@ -360,7 +361,6 @@ function injectDefaults(options: ParseServerOptions) {
]) ])
); );
/* eslint-enable no-console */
options.protectedFields = { _User: { '*': userSensitiveFields } }; options.protectedFields = { _User: { '*': userSensitiveFields } };
} }