Protected fields fix (#5463)

* fix minor spelling mistake

* Always process userSensitiveFields if they exist

* Cover change to protectedFields
Add start of some more tests for protectedFields
which i need to do to document the feature.

* re-arrange promise deck chairs to not
swallow errors.

* remove noop code

* protect agains the case where options.protectedFields
is set without a _User permission.

src/ParseServer.js

@@ -333,8 +333,6 @@ function addParseCloud() {
 }
 
 function injectDefaults(options: ParseServerOptions) {
-  const hasProtectedFields = !!options.protectedFields;
-
   Object.keys(defaults).forEach(key => {
     if (!options.hasOwnProperty(key)) {
       options[key] = defaults[key];
@@ -346,7 +344,7 @@ function injectDefaults(options: ParseServerOptions) {
   }
 
   // Backwards compatibility
-  if (!hasProtectedFields && options.userSensitiveFields) {
+  if (options.userSensitiveFields) {
     /* eslint-disable no-console */
     !process.env.TESTING &&
       console.warn(
@@ -361,7 +359,23 @@ function injectDefaults(options: ParseServerOptions) {
       ])
     );
 
-    options.protectedFields = { _User: { '*': userSensitiveFields } };
+    // If the options.protectedFields is unset,
+    // it'll be assigned the default above.
+    // Here, protect against the case where protectedFields
+    // is set, but doesn't have _User.
+    if (!('_User' in options.protectedFields)) {
+      options.protectedFields = Object.assign(
+        { _User: [] },
+        options.protectedFields
+      );
+    }
+
+    options.protectedFields['_User']['*'] = Array.from(
+      new Set([
+        ...(options.protectedFields['_User']['*'] || []),
+        ...userSensitiveFields,
+      ])
+    );
   }
 
   // Merge protectedFields options with defaults.