* Fixes an issue that would let the beforeDelete be called when user has no access to the object
* Ensure we properly lock user
- Improves find method so we can attempt to read for a write poking the right ACL instead of using masterKey
- This ensure we do not run beforeDelete/beforeFind/beforeSave in the wrong scenarios
* nits
* Caps insufficient
* Allows masterKey to lock _User object and prevent login with email / password
* Ensure the authData based auth can be locked out as well when accounts is masterKey only
* Fixes an issue where a beforeSave hook could cause a numeric val to be dropped in response.
* Use hasOwnProperty to check instead
* Remove redundant set
* Tweaks test in order to show the error
- Session is effectively created when it should not
* Do not create a session when users need verified accounts on signup
* Adds test to repro the issue
* Improved test
* Destroy duplicate sessions for User/Installation-id pair
- Sessions will also be created with action login instead of signup when using 3rd party auth
* Makes sure we don't override roles
* Reduces the query size whith pointer permissions
- Does not return as $and if not needed
- Returns just the query with the additional constraint
* Do not use $in if include is just of length 1
* Makes InstallationRouter like others
* Adds testing for Range file requests
- Fixes issue with small requests (0-2)
* Revert "Makes InstallationRouter like others"
This reverts commit e2d2a16ebf2757db6138c7b5b33c97c56c69ead6.
* Better handling of errors in FilesRouter
* Fix incorrectness in range requests
* Better/simpler logic
* Only on mongo at it requires Gridstore
* Open file streaming to all adapters supporting it
* Improves coverage of parsers
* Ensures depreciation warning is effective
* Removes unused function
* de-duplicate logic
* Removes necessity of overriding req.params.className on subclasses routers
* Use babel-preset-env to ensure min-version compatible code
* removes dead code
* Leverage indexes in order to infer which field is duplicated upon signup
- A note mentioned that it would be possible to leverage using the indexes on username/email to infer which is duplicated
* Small nit
* Better template to match column name
* Restores original implementation for safety
* nits
* Adds failing test,
the _User object is not updated as soon as you pass some authData part of the PUT
* Do not run the DB call when updating the user with new auth data, just part of the rest
* The 'beforeSave' trigger breaks requests using the dot notation for subdocuments (cf #567)
* Convert 'var' to 'let' / 'const'
* Convert 'var' to 'const'
* Use RestWrite when verifying emails so hooks are called (as master)
* Fixes tests for postgres
* nit
* Makes rest.update support a full where instead of objectId
* Use rest.update to guaranteed proper beforeSave and liveQuery calls
* Adds test for the new feature
* Re-validate authData only if mutated
- In case of short-lived tokens (like facebook) this will allow clients to be lax with asking users to re-login
* adds resetTokenValidityDuration setting
* adds a validator to validate password that can be used to enforce strong
passwords
* adds unit tests for passwordPolicy.validator
* adds unit tests to to fail reset password function if password is not in a valid format
* updates README.md for passwordPolicy
* prevents duplicate check for password validator in updateUserPassword
* adds optional setting to disallow username in password
* updates test cases to use fdescribe instead of describe
* updates test cases to use request-promise instead of request
* adds ability to use a RegExp or Callback function or both for a passwordPolicy.validator
* expect username parameter in redirect to password_reset_success
* adds support for _perishable_token_expires_at in postgres
* Add failing test for updating installations with masterKey
* Prevent auth.installationId from being used when using masterKey
This allows masterKey to update any installation object
Fixes ParsePlatform/parse-server##2887
* Implemented syncing afterSave/afterDelete trigger calls with REST request execution flow (Issue 2489). After this change, afterSave and afterDelete triggers CAN return a promise, which needs to be resolved inside a trigger for REST request flow to continue. If trigger doesn't return a promise, request flow continues.
* Added {} to multiline if.
* Fixed bad commit.
* Fixed problem with beforeSave triggers becoming async.
* test case to check beforeSave changes clobbers fetched pointer fields
Basically if beforeSave makes any changes to the object it is trying to save, the fetched pointer fields on the client gets clobbered to only pointer.
* propogate only changed fields to response.
Earlier we were returning all fields even if any changes happened in beforeSave. This causes the fetched pointer fields on the client to get clobbered to only pointers.
This fix returns only the changed fields thus avoiding pointer clobber.
* The goal of this comparision seems to be checking that the all returns the user correctly.
Also it is consistent with the hosted parse that user.username not returned from PUT request.
* Adding a test demonstrating issue #1840.
* Fixes#1840
* Adds failing test with other use case
- That test fails on parse.com as well
* Bumps parse to 1.9.0
* exclude pg db
* Exclude pg on other test
* Adds clientSDK compatibility check for forward deletion
- Mark js1.9.0 as compatible
* Strips all operations from result
- fix for #1606
