joe/kami-parse-server
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Adds validation of addFields

Browse Source
This commit is contained in:
Florent Vilmart
2016-03-07 23:07:24 -05:00
parent 64f9fad285
commit e75d233b7e
3 changed files with 81 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

58
spec/schemas.spec.js
View File

@@ -938,4 +938,62 @@ describe('schemas', () => {
}); });
}); });
}); });
it('should not be able to add a field', done => {
request.post({
url: 'http://localhost:8378/1/schemas/AClass',
headers: masterKeyHeaders,
json: true,
body: {
classLevelPermissions: {
find: {
'*': true
},
addField: {
'role:admin': true
}
}
}
}, (error, response, body) => {
expect(error).toEqual(null);
let object = new Parse.Object('AClass');
object.set('hello', 'world');
return object.save().then(() => {
fail('should not be able to add a field');
done();
}, (err) => {
expect(err.message).toEqual('Permission denied for this action.');
done();
})
})
});
it('should not be able to add a field', done => {
request.post({
url: 'http://localhost:8378/1/schemas/AClass',
headers: masterKeyHeaders,
json: true,
body: {
classLevelPermissions: {
find: {
'*': true
},
addField: {
'*': true
}
}
}
}, (error, response, body) => {
expect(error).toEqual(null);
let object = new Parse.Object('AClass');
object.set('hello', 'world');
return object.save().then(() => {
done();
}, (err) => {
fail('should be able to add a field');
done();
})
})
});
}); });

24
src/Controllers/DatabaseController.js
View File

@@ -101,8 +101,12 @@ DatabaseController.prototype.redirectClassNameForKey = function(className, key)
// Returns a promise that resolves to the new schema. // Returns a promise that resolves to the new schema.
// This does not update this.schema, because in a situation like a // This does not update this.schema, because in a situation like a
// batch request, that could confuse other users of the schema. // batch request, that could confuse other users of the schema.
DatabaseController.prototype.validateObject = function(className, object, query) { DatabaseController.prototype.validateObject = function(className, object, query, options) {
return this.loadSchema().then((schema) => { let schema;
return this.loadSchema().then(s => {
schema = s;
return this.canAddField(schema, className, object, options.acl || []);
}).then(() => {
return schema.validateObject(className, object, query); return schema.validateObject(className, object, query);
}); });
}; };
@@ -332,6 +336,22 @@ DatabaseController.prototype.create = function(className, object, options) {
}); });
}; };
DatabaseController.prototype.canAddField = function(schema, className, object, aclGroup) {
let classSchema = schema.data[className];
if (!classSchema) {
return Promise.resolve();
}
let fields = Object.keys(object);
let schemaFields = Object.keys(classSchema);
let newKeys = fields.filter((field) => {
return schemaFields.indexOf(field) < 0;
})
if (newKeys.length > 0) {
return schema.validatePermission(className, aclGroup, 'addField');
}
return Promise.resolve();
}
// Runs a mongo query on the database. // Runs a mongo query on the database.
// This should only be used for testing - use 'find' for normal code // This should only be used for testing - use 'find' for normal code
// to avoid Mongo-format dependencies. // to avoid Mongo-format dependencies.

2
src/RestWrite.js
View File

@@ -128,7 +128,7 @@ RestWrite.prototype.validateClientClassCreation = function() {
// Validates this operation against the schema. // Validates this operation against the schema.
RestWrite.prototype.validateSchema = function() { RestWrite.prototype.validateSchema = function() {
return this.config.database.validateObject(this.className, this.data, this.query); return this.config.database.validateObject(this.className, this.data, this.query, this.runOptions);
}; };
// Runs any beforeSave triggers against this operation. // Runs any beforeSave triggers against this operation.