fix(GraphQL): Remove "password" output field from _User class (#5889)

2019-08-06 21:21:33 -03:00
parent ef14ca530d
commit f81da11b84
2 changed files with 21 additions and 0 deletions
--- a/spec/ParseGraphQLServer.spec.js
+++ b/spec/ParseGraphQLServer.spec.js
@@ -765,6 +765,21 @@ describe('ParseGraphQLServer', () => {
          })).data['__type'].fields.map(field => field.name);
          expect(userFields.indexOf('foo') !== -1).toBeTruthy();
        });
+
+        it('should not contain password field from _User class', async () => {
+          const userFields = (await apolloClient.query({
+            query: gql`
+              query UserType {
+                __type(name: "_UserClass") {
+                  fields {
+                    name
+                  }
+                }
+              }
+            `,
+          })).data['__type'].fields.map(field => field.name);
+          expect(userFields.includes('password')).toBeFalsy();
+        });
      });

      describe('Configuration', function() {
--- a/src/GraphQL/loaders/parseClassTypes.js
+++ b/src/GraphQL/loaders/parseClassTypes.js
@@ -213,6 +213,12 @@ const getInputFieldsAndConstraints = function(
  } else {
    classOutputFields = classCustomFields;
  }
+  // Filters the "password" field from class _User
+  if (parseClass.className === '_User') {
+    classOutputFields = classOutputFields.filter(
+      outputField => outputField !== 'password'
+    );
+  }

  if (allowedConstraintFields) {
    classConstraintFields = classCustomFields.filter(field => {