Adds class level permission requiring authenticated user (#893)

* Adds class level permission requiring authenticated user * Updates to latest schema permissions syntax * fix flaky test * Exclude PG * Rebased and nitted * lints
2016-12-02 19:47:33 -05:00
parent 01b05b060f
commit e0704b440c
2 changed files with 250 additions and 1 deletions
--- a/src/Controllers/SchemaController.js
+++ b/src/Controllers/SchemaController.js
@@ -123,7 +123,9 @@ const roleRegex = /^role:.*/;
 // * permission
 const publicRegex = /^\*$/

-const permissionKeyRegex = Object.freeze([userIdRegex, roleRegex, publicRegex]);
+const requireAuthenticationRegex = /^requiresAuthentication$/
+
+const permissionKeyRegex = Object.freeze([userIdRegex, roleRegex, publicRegex, requireAuthenticationRegex]);

 function verifyPermissionKey(key) {
  let result = permissionKeyRegex.reduce((isGood, regEx) => {
@@ -771,6 +773,26 @@ export default class SchemaController {
      return true;
    }
    let classPerms = this.perms[className];
+    let perms = classPerms[operation];
+
+    // If only for authenticated users
+    // make sure we have an aclGroup
+    if (perms['requiresAuthentication']) {
+      // If aclGroup has * (public)
+      if (!aclGroup || aclGroup.length == 0) {
+        throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND,
+        'Permission denied, user needs to be authenticated.');
+      } else if (aclGroup.indexOf('*') > -1 && aclGroup.length == 1) {
+        throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND,
+        'Permission denied, user needs to be authenticated.');
+      }
+      // no other CLP than requiresAuthentication
+      // let's resolve that!
+      if (Object.keys(perms).length == 1) {
+        return Promise.resolve();
+      }
+    }
+
    // No matching CLP, let's check the Pointer permissions
    // And handle those later
    let permissionField = ['get', 'find'].indexOf(operation) > -1 ? 'readUserFields' : 'writeUserFields';