Add test cases for protectedFields when using Find without constraints. (#5967)
This commit is contained in:
Jong Eun Lee
committed by
Antonio Davi Macedo Coelho de Castro
Antonio Davi Macedo Coelho de Castro
parent
ed7c2639b7
commit
d0dc511423
@@ -1122,11 +1122,19 @@ describe('Personally Identifiable Information', () => {
|
|||||||
// Even with an authenticated user, Public read ACL should never expose sensitive data.
|
// Even with an authenticated user, Public read ACL should never expose sensitive data.
|
||||||
describe('with another authenticated user', () => {
|
describe('with another authenticated user', () => {
|
||||||
let anotherUser;
|
let anotherUser;
|
||||||
|
const ANOTHER_EMAIL = 'another@bar.com';
|
||||||
|
|
||||||
beforeEach(async done => {
|
beforeEach(async done => {
|
||||||
return Parse.User.signUp('another', 'abc')
|
return Parse.User.signUp('another', 'abc')
|
||||||
.then(loggedInUser => (anotherUser = loggedInUser))
|
.then(loggedInUser => (anotherUser = loggedInUser))
|
||||||
.then(() => Parse.User.logIn(anotherUser.get('username'), 'abc'))
|
.then(() => Parse.User.logIn(anotherUser.get('username'), 'abc'))
|
||||||
|
.then(() =>
|
||||||
|
anotherUser
|
||||||
|
.set('email', ANOTHER_EMAIL)
|
||||||
|
.set('zip', ZIP)
|
||||||
|
.set('ssn', SSN)
|
||||||
|
.save()
|
||||||
|
)
|
||||||
.then(() => done());
|
.then(() => done());
|
||||||
});
|
});
|
||||||
|
|
||||||
@@ -1156,6 +1164,36 @@ describe('Personally Identifiable Information', () => {
|
|||||||
.catch(done.fail);
|
.catch(done.fail);
|
||||||
});
|
});
|
||||||
|
|
||||||
|
it('should not be able to get user PII via API with Find without constraints', done => {
|
||||||
|
new Parse.Query(Parse.User)
|
||||||
|
.find()
|
||||||
|
.then(fetchedUsers => {
|
||||||
|
const notCurrentUser = fetchedUsers.find(
|
||||||
|
u => u.id !== anotherUser.id
|
||||||
|
);
|
||||||
|
expect(notCurrentUser.get('email')).toBe(undefined);
|
||||||
|
expect(notCurrentUser.get('zip')).toBe(undefined);
|
||||||
|
expect(notCurrentUser.get('ssn')).toBe(undefined);
|
||||||
|
done();
|
||||||
|
})
|
||||||
|
.catch(done.fail);
|
||||||
|
});
|
||||||
|
|
||||||
|
it('should be able to get own PII via API with Find without constraints', done => {
|
||||||
|
new Parse.Query(Parse.User)
|
||||||
|
.find()
|
||||||
|
.then(fetchedUsers => {
|
||||||
|
const currentUser = fetchedUsers.find(
|
||||||
|
u => u.id === anotherUser.id
|
||||||
|
);
|
||||||
|
expect(currentUser.get('email')).toBe(ANOTHER_EMAIL);
|
||||||
|
expect(currentUser.get('zip')).toBe(ZIP);
|
||||||
|
expect(currentUser.get('ssn')).toBe(SSN);
|
||||||
|
done();
|
||||||
|
})
|
||||||
|
.catch(done.fail);
|
||||||
|
});
|
||||||
|
|
||||||
it('should not be able to get user PII via API with Get', done => {
|
it('should not be able to get user PII via API with Get', done => {
|
||||||
new Parse.Query(Parse.User)
|
new Parse.Query(Parse.User)
|
||||||
.get(user.id)
|
.get(user.id)
|
||||||
|
|||||||
Reference in New Issue
Block a user