joe/kami-parse-server
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add enforceMasterKeyAccess middleware.

Browse Source
This commit is contained in:
Nikita Lutsenko
2016-02-11 21:53:32 -08:00
parent e6ef0ae55c
commit f53cb60d57
3 changed files with 16 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
spec/ParseFile.spec.js
View File

@@ -101,8 +101,8 @@ describe('Parse.File testing', () => {
}, (error, response, body) => {
expect(error).toBe(null);
var del_b = JSON.parse(body);
expect(response.statusCode).toEqual(400);
expect(del_b.code).toEqual(119);
expect(response.statusCode).toEqual(403);
expect(del_b.error).toMatch(/unauthorized/);
// incorrect X-Parse-Master-Key header
request.del({
headers: {
@@ -114,8 +114,8 @@ describe('Parse.File testing', () => {
}, (error, response, body) => {
expect(error).toBe(null);
var del_b2 = JSON.parse(body);
expect(response.statusCode).toEqual(400);
expect(del_b2.code).toEqual(119);
expect(response.statusCode).toEqual(403);
expect(del_b2.error).toMatch(/unauthorized/);
done();
});
});

8
src/Controllers/FilesController.js
View File

@@ -76,13 +76,6 @@ export class FilesController {
deleteHandler() {
return (req, res, next) => {
// enforce use of master key for file deletions
if(!req.auth.isMaster){
next(new Parse.Error(Parse.Error.OPERATION_FORBIDDEN,
'Master key required for file deletion.'));
return;
}
this._filesAdapter.deleteFile(req.config, req.params.filename).then(() => {
res.status(200);
// TODO: return useful JSON here?
@@ -142,6 +135,7 @@ export class FilesController {
router.delete('/files/:filename',
Middlewares.allowCrossDomain,
Middlewares.handleParseHeaders,
Middlewares.enforceMasterKeyAccess,
this.deleteHandler()
);

13
src/middlewares.js
View File

@@ -178,15 +178,24 @@ var handleParseErrors = function(err, req, res, next) {
}
};
function enforceMasterKeyAccess(req, res, next) {
if (!req.auth.isMaster) {
res.status(403);
res.end('{"error":"unauthorized: master key is required"}');
return;
}
next();
}
function invalidRequest(req, res) {
res.status(403);
res.end('{"error":"unauthorized"}');
}
module.exports = {
allowCrossDomain: allowCrossDomain,
allowMethodOverride: allowMethodOverride,
handleParseErrors: handleParseErrors,
handleParseHeaders: handleParseHeaders
handleParseHeaders: handleParseHeaders,
enforceMasterKeyAccess: enforceMasterKeyAccess
};