joe/kami-parse-server
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add enforceMasterKeyAccess middleware.

Browse Source
This commit is contained in:
Nikita Lutsenko
2016-02-11 21:53:32 -08:00
parent e6ef0ae55c
commit f53cb60d57
3 changed files with 16 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
spec/ParseFile.spec.js
View File

@@ -101,8 +101,8 @@ describe('Parse.File testing', () => {
}, (error, response, body) => { }, (error, response, body) => {
expect(error).toBe(null); expect(error).toBe(null);
var del_b = JSON.parse(body); var del_b = JSON.parse(body);
expect(response.statusCode).toEqual(400); expect(response.statusCode).toEqual(403);
expect(del_b.code).toEqual(119); expect(del_b.error).toMatch(/unauthorized/);
// incorrect X-Parse-Master-Key header // incorrect X-Parse-Master-Key header
request.del({ request.del({
headers: { headers: {
@@ -114,8 +114,8 @@ describe('Parse.File testing', () => {
}, (error, response, body) => { }, (error, response, body) => {
expect(error).toBe(null); expect(error).toBe(null);
var del_b2 = JSON.parse(body); var del_b2 = JSON.parse(body);
expect(response.statusCode).toEqual(400); expect(response.statusCode).toEqual(403);
expect(del_b2.code).toEqual(119); expect(del_b2.error).toMatch(/unauthorized/);
done(); done();
}); });
}); });

8
src/Controllers/FilesController.js
View File

@@ -76,13 +76,6 @@ export class FilesController {
deleteHandler() { deleteHandler() {
return (req, res, next) => { return (req, res, next) => {
// enforce use of master key for file deletions
if(!req.auth.isMaster){
next(new Parse.Error(Parse.Error.OPERATION_FORBIDDEN,
'Master key required for file deletion.'));
return;
}
this._filesAdapter.deleteFile(req.config, req.params.filename).then(() => { this._filesAdapter.deleteFile(req.config, req.params.filename).then(() => {
res.status(200); res.status(200);
// TODO: return useful JSON here? // TODO: return useful JSON here?
@@ -142,6 +135,7 @@ export class FilesController {
router.delete('/files/:filename', router.delete('/files/:filename',
Middlewares.allowCrossDomain, Middlewares.allowCrossDomain,
Middlewares.handleParseHeaders, Middlewares.handleParseHeaders,
Middlewares.enforceMasterKeyAccess,
this.deleteHandler() this.deleteHandler()
); );

13
src/middlewares.js
View File

@@ -178,15 +178,24 @@ var handleParseErrors = function(err, req, res, next) {
} }
}; };
function enforceMasterKeyAccess(req, res, next) {
if (!req.auth.isMaster) {
res.status(403);
res.end('{"error":"unauthorized: master key is required"}');
return;
}
next();
}
function invalidRequest(req, res) { function invalidRequest(req, res) {
res.status(403); res.status(403);
res.end('{"error":"unauthorized"}'); res.end('{"error":"unauthorized"}');
} }
module.exports = { module.exports = {
allowCrossDomain: allowCrossDomain, allowCrossDomain: allowCrossDomain,
allowMethodOverride: allowMethodOverride, allowMethodOverride: allowMethodOverride,
handleParseErrors: handleParseErrors, handleParseErrors: handleParseErrors,
handleParseHeaders: handleParseHeaders handleParseHeaders: handleParseHeaders,
enforceMasterKeyAccess: enforceMasterKeyAccess
}; };