Makes sure we don't duplicate user ACL's keys (#2651)

* Adds repro for issue #2246 * Provide fix for issue #2246 * Nit with Set to deduplicate the acl array * remove debuging console.log
2016-09-09 14:43:59 -04:00
parent e8aa1ad312
commit c5fdd91aa3
3 changed files with 40 additions and 2 deletions
--- a/spec/schemas.spec.js
+++ b/spec/schemas.spec.js
@@ -1631,4 +1631,40 @@ describe('schemas', () => {
      done();
    });
  });
+
+  it('regression test for #2246', done => {
+    let profile = new Parse.Object('UserProfile');
+    let user = new Parse.User();
+    function initialize() {
+      return user.save({
+        username: 'user',
+        password: 'password'
+      }).then(() => {
+        return profile.save({user}).then(() => {
+        return user.save({
+            userProfile: profile
+          }, {useMasterKey: true});
+        });
+      });
+    }
+
+    initialize().then(() => {
+      return setPermissionsOnClass('UserProfile', {
+        'readUserFields': ['user'],
+        'writeUserFields': ['user']
+      }, true);
+    }).then(() => {
+      return Parse.User.logIn('user', 'password')
+    }).then(() => {
+      let query = new Parse.Query('_User');
+      query.include('userProfile');
+      return query.get(user.id);
+    }).then((user) => {
+      expect(user.get('userProfile')).not.toBeUndefined();
+      done();
+    }, (err) => {
+      jfail(err);
+      done();
+    });
+  });
 });
--- a/src/Controllers/DatabaseController.js
+++ b/src/Controllers/DatabaseController.js
@@ -859,6 +859,7 @@ DatabaseController.prototype.addPointerPermissions = function(schema, className,
  // the ACL should have exactly 1 user
  if (perms && perms[field] && perms[field].length > 0) {
    // No user set return undefined
+    // If the length is > 1, that means we didn't dedup users correctly
    if (userACL.length != 1) {
      return;
    }
--- a/src/RestQuery.js
+++ b/src/RestQuery.js
@@ -149,8 +149,9 @@ RestQuery.prototype.getUserAndRoleACL = function() {
    return Promise.resolve();
  }
  return this.auth.getUserRoles().then((roles) => {
-    roles.push(this.auth.user.id);
-    this.findOptions.acl = roles;
+    // Concat with the roles to prevent duplications on multiple calls
+    const aclSet = new Set([].concat(this.findOptions.acl, roles));
+    this.findOptions.acl = Array.from(aclSet);
    return Promise.resolve();
  });
 };