Merge remote-tracking branch 'upstream/master'

Author: mtrezza

.github/PULL_REQUEST_TEMPLATE/pull_request_template.md renamed to .github/pull_request_template.md

@@ -3,6 +3,11 @@
 ### master
 [Full Changelog](https://github.com/parse-community/parse-server/compare/4.5.0...master)
 
+__BREAKING CHANGES:__
+- NEW: Added file upload restriction. File upload is now only allowed for authenticated users by default for improved security. To allow file upload also for Anonymous Users or Public, set the `fileUpload` parameter in the [Parse Server Options](https://parseplatform.org/parse-server/api/master/ParseServerOptions.html). [#7071](https://github.com/parse-community/parse-server/pull/7071). Thanks to [dblythy](https://github.com/dblythy).
+___
+- IMPROVE: Optimize queries on classes with pointer permissions. [#7061](https://github.com/parse-community/parse-server/pull/7061). Thanks to [Pedro Diaz](https://github.com/pdiaz)
+
 ### 4.5.0
 [Full Changelog](https://github.com/parse-community/parse-server/compare/4.4.0...4.5.0)
 

CHANGELOG.md

@@ -47,7 +47,8 @@ function getENVPrefix(iface) {
     'LiveQueryOptions' : 'PARSE_SERVER_LIVEQUERY_',
     'IdempotencyOptions' : 'PARSE_SERVER_EXPERIMENTAL_IDEMPOTENCY_',
     'AccountLockoutOptions' : 'PARSE_SERVER_ACCOUNT_LOCKOUT_',
-    'PasswordPolicyOptions' : 'PARSE_SERVER_PASSWORD_POLICY_'
+    'PasswordPolicyOptions' : 'PARSE_SERVER_PASSWORD_POLICY_',
+    'FileUploadOptions' : 'PARSE_SERVER_FILE_UPLOAD_'
   }
   if (options[iface.id.name]) {
     return options[iface.id.name]
@@ -163,14 +164,8 @@ function parseDefaultValue(elt, value, t) {
     if (type == 'NumberOrBoolean') {
       literalValue = t.numericLiteral(parsers.numberOrBoolParser('')(value));
     }
-    if (type == 'CustomPagesOptions') {
-      const object = parsers.objectParser(value);
-      const props = Object.keys(object).map((key) => {
-        return t.objectProperty(key, object[value]);
-      });
-      literalValue = t.objectExpression(props);
-    }
-    if (type == 'IdempotencyOptions') {
+    const literalTypes = ['IdempotencyOptions','FileUploadOptions','CustomPagesOptions'];
+    if (literalTypes.includes(type)) {
       const object = parsers.objectParser(value);
       const props = Object.keys(object).map((key) => {
         return t.objectProperty(key, object[value]);

resources/buildConfigDefinitions.js

@@ -236,6 +236,57 @@ describe('DatabaseController', function () {
       done();
     });
 
+    it('should not return a $or operation if the query involves one of the two fields also used as array/pointer permissions', done => {
+      const clp = buildCLP(['users', 'user']);
+      const query = { a: 'b', user: createUserPointer(USER_ID) };
+      schemaController.testPermissionsForClassName
+        .withArgs(CLASS_NAME, ACL_GROUP, OPERATION)
+        .and.returnValue(false);
+      schemaController.getClassLevelPermissions.withArgs(CLASS_NAME).and.returnValue(clp);
+      schemaController.getExpectedType
+        .withArgs(CLASS_NAME, 'user')
+        .and.returnValue({ type: 'Pointer' });
+      schemaController.getExpectedType
+        .withArgs(CLASS_NAME, 'users')
+        .and.returnValue({ type: 'Array' });
+      const output = databaseController.addPointerPermissions(
+        schemaController,
+        CLASS_NAME,
+        OPERATION,
+        query,
+        ACL_GROUP
+      );
+      expect(output).toEqual({ ...query, user: createUserPointer(USER_ID) });
+      done();
+    });
+
+    it('should not return a $or operation if the query involves one of the fields also used as array/pointer permissions', done => {
+      const clp = buildCLP(['user', 'users', 'userObject']);
+      const query = { a: 'b', user: createUserPointer(USER_ID) };
+      schemaController.testPermissionsForClassName
+        .withArgs(CLASS_NAME, ACL_GROUP, OPERATION)
+        .and.returnValue(false);
+      schemaController.getClassLevelPermissions.withArgs(CLASS_NAME).and.returnValue(clp);
+      schemaController.getExpectedType
+        .withArgs(CLASS_NAME, 'user')
+        .and.returnValue({ type: 'Pointer' });
+      schemaController.getExpectedType
+        .withArgs(CLASS_NAME, 'users')
+        .and.returnValue({ type: 'Array' });
+      schemaController.getExpectedType
+        .withArgs(CLASS_NAME, 'userObject')
+        .and.returnValue({ type: 'Object' });
+      const output = databaseController.addPointerPermissions(
+        schemaController,
+        CLASS_NAME,
+        OPERATION,
+        query,
+        ACL_GROUP
+      );
+      expect(output).toEqual({ ...query, user: createUserPointer(USER_ID) });
+      done();
+    });
+
     it('should throw an error if for some unexpected reason the property specified in the CLP is neither a pointer nor an array', done => {
       const clp = buildCLP(['user']);
       const query = { a: 'b' };
@@ -265,6 +316,51 @@ describe('DatabaseController', function () {
       done();
     });
   });
+
+  describe('reduceOperations', function () {
+    const databaseController = new DatabaseController();
+
+    it('objectToEntriesStrings', done => {
+      const output = databaseController.objectToEntriesStrings({ a: 1, b: 2, c: 3 });
+      expect(output).toEqual(['"a":1', '"b":2', '"c":3']);
+      done();
+    });
+
+    it('reduceOrOperation', done => {
+      expect(databaseController.reduceOrOperation({ a: 1 })).toEqual({ a: 1 });
+      expect(databaseController.reduceOrOperation({ $or: [{ a: 1 }, { b: 2 }] })).toEqual({
+        $or: [{ a: 1 }, { b: 2 }],
+      });
+      expect(databaseController.reduceOrOperation({ $or: [{ a: 1 }, { a: 2 }] })).toEqual({
+        $or: [{ a: 1 }, { a: 2 }],
+      });
+      expect(databaseController.reduceOrOperation({ $or: [{ a: 1 }, { a: 1 }] })).toEqual({ a: 1 });
+      expect(
+        databaseController.reduceOrOperation({ $or: [{ a: 1, b: 2, c: 3 }, { a: 1 }] })
+      ).toEqual({ a: 1 });
+      expect(
+        databaseController.reduceOrOperation({ $or: [{ b: 2 }, { a: 1, b: 2, c: 3 }] })
+      ).toEqual({ b: 2 });
+      done();
+    });
+
+    it('reduceAndOperation', done => {
+      expect(databaseController.reduceAndOperation({ a: 1 })).toEqual({ a: 1 });
+      expect(databaseController.reduceAndOperation({ $and: [{ a: 1 }, { b: 2 }] })).toEqual({
+        $and: [{ a: 1 }, { b: 2 }],
+      });
+      expect(databaseController.reduceAndOperation({ $and: [{ a: 1 }, { a: 2 }] })).toEqual({
+        $and: [{ a: 1 }, { a: 2 }],
+      });
+      expect(databaseController.reduceAndOperation({ $and: [{ a: 1 }, { a: 1 }] })).toEqual({
+        a: 1,
+      });
+      expect(
+        databaseController.reduceAndOperation({ $and: [{ a: 1, b: 2, c: 3 }, { b: 2 }] })
+      ).toEqual({ a: 1, b: 2, c: 3 });
+      done();
+    });
+  });
 });
 
 function buildCLP(pointerNames) {

spec/DatabaseController.spec.js

@@ -4,6 +4,7 @@
 'use strict';
 
 const request = require('../lib/request');
+const Definitions = require('../src/Options/Definitions');
 
 const str = 'Hello World!';
 const data = [];
@@ -860,4 +861,196 @@ describe('Parse.File testing', () => {
       });
     });
   });
+
+  describe('file upload configuration', () => {
+    it('allows file upload only for authenticated user by default', async () => {
+      await reconfigureServer({
+        fileUpload: {
+          enableForPublic: Definitions.FileUploadOptions.enableForPublic.default,
+          enableForAnonymousUser: Definitions.FileUploadOptions.enableForAnonymousUser.default,
+          enableForAuthenticatedUser: Definitions.FileUploadOptions.enableForAuthenticatedUser.default,
+        }
+      });
+      let file = new Parse.File('hello.txt', data, 'text/plain');
+      await expectAsync(file.save()).toBeRejectedWith(
+        new Parse.Error(Parse.Error.FILE_SAVE_ERROR, 'File upload by public is disabled.')
+      );
+      file = new Parse.File('hello.txt', data, 'text/plain');
+      const anonUser = await Parse.AnonymousUtils.logIn();
+      await expectAsync(file.save({ sessionToken: anonUser.getSessionToken() })).toBeRejectedWith(
+        new Parse.Error(Parse.Error.FILE_SAVE_ERROR, 'File upload by anonymous user is disabled.')
+      );
+      file = new Parse.File('hello.txt', data, 'text/plain');
+      const authUser = await Parse.User.signUp('user', 'password');
+      await expectAsync(file.save({ sessionToken: authUser.getSessionToken() })).toBeResolved();
+    });
+
+    it('allows file upload with master key', async () => {
+      await reconfigureServer({
+        fileUpload: {
+          enableForPublic: false,
+          enableForAnonymousUser: false,
+          enableForAuthenticatedUser: false,
+        },
+      });
+      const file = new Parse.File('hello.txt', data, 'text/plain');
+      await expectAsync(file.save({ useMasterKey: true })).toBeResolved();
+    });
+
+    it('rejects all file uploads', async () => {
+      await reconfigureServer({
+        fileUpload: {
+          enableForPublic: false,
+          enableForAnonymousUser: false,
+          enableForAuthenticatedUser: false,
+        },
+      });
+      let file = new Parse.File('hello.txt', data, 'text/plain');
+      await expectAsync(file.save()).toBeRejectedWith(
+        new Parse.Error(Parse.Error.FILE_SAVE_ERROR, 'File upload by public is disabled.')
+      );
+      file = new Parse.File('hello.txt', data, 'text/plain');
+      const anonUser = await Parse.AnonymousUtils.logIn();
+      await expectAsync(file.save({ sessionToken: anonUser.getSessionToken() })).toBeRejectedWith(
+        new Parse.Error(Parse.Error.FILE_SAVE_ERROR, 'File upload by anonymous user is disabled.')
+      );
+      file = new Parse.File('hello.txt', data, 'text/plain');
+      const authUser = await Parse.User.signUp('user', 'password');
+      await expectAsync(file.save({ sessionToken: authUser.getSessionToken() })).toBeRejectedWith(
+        new Parse.Error(Parse.Error.FILE_SAVE_ERROR, 'File upload by authenticated user is disabled.')
+      );
+    });
+
+    it('allows all file uploads', async () => {
+      await reconfigureServer({
+        fileUpload: {
+          enableForPublic: true,
+          enableForAnonymousUser: true,
+          enableForAuthenticatedUser: true,
+        },
+      });
+      let file = new Parse.File('hello.txt', data, 'text/plain');
+      await expectAsync(file.save()).toBeResolved();
+      file = new Parse.File('hello.txt', data, 'text/plain');
+      const anonUser = await Parse.AnonymousUtils.logIn();
+      await expectAsync(file.save({ sessionToken: anonUser.getSessionToken() })).toBeResolved();
+      file = new Parse.File('hello.txt', data, 'text/plain');
+      const authUser = await Parse.User.signUp('user', 'password');
+      await expectAsync(file.save({ sessionToken: authUser.getSessionToken() })).toBeResolved();
+    });
+
+    it('allows file upload only for public', async () => {
+      await reconfigureServer({
+        fileUpload: {
+          enableForPublic: true,
+          enableForAnonymousUser: false,
+          enableForAuthenticatedUser: false,
+        },
+      });
+      let file = new Parse.File('hello.txt', data, 'text/plain');
+      await expectAsync(file.save()).toBeResolved();
+      file = new Parse.File('hello.txt', data, 'text/plain');
+      const anonUser = await Parse.AnonymousUtils.logIn();
+      await expectAsync(file.save({ sessionToken: anonUser.getSessionToken() })).toBeRejectedWith(
+        new Parse.Error(Parse.Error.FILE_SAVE_ERROR, 'File upload by anonymous user is disabled.')
+      );
+      file = new Parse.File('hello.txt', data, 'text/plain');
+      const authUser = await Parse.User.signUp('user', 'password');
+      await expectAsync(file.save({ sessionToken: authUser.getSessionToken() })).toBeRejectedWith(
+        new Parse.Error(Parse.Error.FILE_SAVE_ERROR, 'File upload by authenticated user is disabled.')
+      );
+    });
+
+    it('allows file upload only for anonymous user', async () => {
+      await reconfigureServer({
+        fileUpload: {
+          enableForPublic: false,
+          enableForAnonymousUser: true,
+          enableForAuthenticatedUser: false,
+        },
+      });
+      let file = new Parse.File('hello.txt', data, 'text/plain');
+      await expectAsync(file.save()).toBeRejectedWith(
+        new Parse.Error(Parse.Error.FILE_SAVE_ERROR, 'File upload by public is disabled.')
+      );
+      file = new Parse.File('hello.txt', data, 'text/plain');
+      const anonUser = await Parse.AnonymousUtils.logIn();
+      await expectAsync(file.save({ sessionToken: anonUser.getSessionToken() })).toBeResolved();
+      file = new Parse.File('hello.txt', data, 'text/plain');
+      const authUser = await Parse.User.signUp('user', 'password');
+      await expectAsync(file.save({ sessionToken: authUser.getSessionToken() })).toBeRejectedWith(
+        new Parse.Error(Parse.Error.FILE_SAVE_ERROR, 'File upload by authenticated user is disabled.')
+      );
+    });
+
+    it('allows file upload only for authenticated user', async () => {
+      await reconfigureServer({
+        fileUpload: {
+          enableForPublic: false,
+          enableForAnonymousUser: false,
+          enableForAuthenticatedUser: true,
+        },
+      });
+      let file = new Parse.File('hello.txt', data, 'text/plain');
+      await expectAsync(file.save()).toBeRejectedWith(
+        new Parse.Error(Parse.Error.FILE_SAVE_ERROR, 'File upload by public is disabled.')
+      );
+      file = new Parse.File('hello.txt', data, 'text/plain');
+      const anonUser = await Parse.AnonymousUtils.logIn();
+      await expectAsync(file.save({ sessionToken: anonUser.getSessionToken() })).toBeRejectedWith(
+        new Parse.Error(Parse.Error.FILE_SAVE_ERROR, 'File upload by anonymous user is disabled.')
+      );
+      file = new Parse.File('hello.txt', data, 'text/plain');
+      const authUser = await Parse.User.signUp('user', 'password');
+      await expectAsync(file.save({ sessionToken: authUser.getSessionToken() })).toBeResolved();
+    });
+
+    it('rejects invalid fileUpload configuration', async () => {
+      const invalidConfigs = [
+        { fileUpload: [] },
+        { fileUpload: 1 },
+        { fileUpload: "string" },
+      ];
+      const validConfigs = [
+        { fileUpload: {} },
+        { fileUpload: null },
+        { fileUpload: undefined },
+      ];
+      const keys = [
+        "enableForPublic",
+        "enableForAnonymousUser",
+        "enableForAuthenticatedUser",
+      ];
+      const invalidValues = [
+        [],
+        {},
+        1,
+        "string",
+        null,
+      ];
+      const validValues = [
+        undefined,
+        true,
+        false,
+      ];
+      for (const config of invalidConfigs) {
+        await expectAsync(reconfigureServer(config)).toBeRejectedWith(
+          'fileUpload must be an object value.'
+        );
+      }
+      for (const config of validConfigs) {
+        await expectAsync(reconfigureServer(config)).toBeResolved();
+      }
+      for (const key of keys) {
+        for (const value of invalidValues) {
+          await expectAsync(reconfigureServer({ fileUpload: { [key]: value }})).toBeRejectedWith(
+            `fileUpload.${key} must be a boolean value.`
+          );
+        }
+        for (const value of validValues) {
+          await expectAsync(reconfigureServer({ fileUpload: { [key]: value }})).toBeResolved();
+        }
+      }
+    });
+  });
 });

spec/ParseFile.spec.js

@@ -88,6 +88,11 @@ const defaultConfiguration = {
   fileKey: 'test',
   silent,
   logLevel,
+  fileUpload: {
+    enableForPublic: true,
+    enableForAnonymousUser: true,
+    enableForAuthenticatedUser: true,
+  },
   push: {
     android: {
       senderId: 'yolo',