Moves transform to MongoTransform

- Adds ACL query injection in MongoTransform

Author: flovilmart

spec/transform.spec.js renamed to spec/MongoTransform.spec.js

@@ -1,6 +1,6 @@
 // These tests are unit tests designed to only test transform.js.
 
-var transform = require('../src/transform');
+var transform = require('../src/Adapters/Storage/Mongo/MongoTransform');
 
 var dummySchema = {
     data: {},

src/Adapters/Storage/Mongo/MongoSchemaCollection.js

@@ -1,5 +1,6 @@
 
 import MongoCollection from './MongoCollection';
+import * as transform from './MongoTransform';
 
 function _mongoSchemaQueryFromNameQuery(name: string, query) {
   return _mongoSchemaObjectFromNameFields(name, query);
@@ -55,4 +56,8 @@ export default class MongoSchemaCollection {
   upsertSchema(name: string, query: string, update) {
     return this._collection.upsertOne(_mongoSchemaQueryFromNameQuery(name, query), update);
   }
+
+  get transform() {
+    return transform;
+  }
 }

src/Adapters/Storage/Mongo/MongoStorageAdapter.js

@@ -1,7 +1,8 @@
 
 import MongoCollection from './MongoCollection';
 import MongoSchemaCollection from './MongoSchemaCollection';
-import {parse as parseUrl, format as formatUrl} from '../../../vendor/mongodbUrl';
+import { parse as parseUrl, format as formatUrl } from '../../../vendor/mongodbUrl';
+import * as transform from './MongoTransform';
 
 let mongodb = require('mongodb');
 let MongoClient = mongodb.MongoClient;
@@ -78,6 +79,10 @@ export class MongoStorageAdapter {
       });
     });
   }
+
+  get transform() {
+    return transform;
+  }
 }
 
 export default MongoStorageAdapter;

src/transform.js renamed to src/Adapters/Storage/Mongo/MongoTransform.js

@@ -739,6 +739,27 @@ function untransformObject(schema, className, mongoObject, isNestedObject = fals
   }
 }
 
+function addWriteACL(mongoWhere, acl) {
+  var writePerms = [
+    {_wperm: {'$exists': false}}
+  ];
+  for (var entry of acl) {
+    writePerms.push({_wperm: {'$in': [entry]}});
+  }
+  return {'$and': [mongoWhere, {'$or': writePerms}]};
+}
+
+function addReadACL(mongoWhere, acl) {
+  var orParts = [
+    {"_rperm" : { "$exists": false }},
+    {"_rperm" : { "$in" : ["*"]}}
+  ];
+  for (var entry of acl) {
+    orParts.push({"_rperm" : { "$in" : [entry]}});
+  }
+  return {'$and': [mongoWhere, {'$or': orParts}]};
+}
+
 var DateCoder = {
   JSONToDatabase(json) {
     return new Date(json.iso);
@@ -832,5 +853,7 @@ module.exports = {
   transformCreate: transformCreate,
   transformUpdate: transformUpdate,
   transformWhere: transformWhere,
+  addReadACL: addReadACL,
+  addWriteACL: addWriteACL,
   untransformObject: untransformObject
 };

src/Controllers/DatabaseController.js

@@ -5,7 +5,6 @@ var mongodb = require('mongodb');
 var Parse = require('parse/node').Parse;
 
 var Schema = require('./../Schema');
-var transform = require('./../transform');
 const deepcopy = require('deepcopy');
 
 // options can contain:
@@ -115,7 +114,7 @@ DatabaseController.prototype.validateObject = function(className, object, query,
 // Filters out any data that shouldn't be on this REST-formatted object.
 DatabaseController.prototype.untransformObject = function(
   schema, isMaster, aclGroup, className, mongoObject) {
-  var object = transform.untransformObject(schema, className, mongoObject);
+  var object = this.adapter.transform.untransformObject(schema, className, mongoObject);
 
   if (className !== '_User') {
     return object;
@@ -161,17 +160,11 @@ DatabaseController.prototype.update = function(className, query, update, options
     .then(() => this.handleRelationUpdates(className, query.objectId, update))
     .then(() => this.adaptiveCollection(className))
     .then(collection => {
-      var mongoWhere = transform.transformWhere(schema, className, query);
+      var mongoWhere = this.adapter.transform.transformWhere(schema, className, query);
       if (options.acl) {
-        var writePerms = [
-          {_wperm: {'$exists': false}}
-        ];
-        for (var entry of options.acl) {
-          writePerms.push({_wperm: {'$in': [entry]}});
-        }
-        mongoWhere = {'$and': [mongoWhere, {'$or': writePerms}]};
+        mongoWhere = this.adapter.transform.addWriteACL(mongoWhere, options.acl);
       }
-      mongoUpdate = transform.transformUpdate(schema, className, update);
+      mongoUpdate = this.adapter.transform.transformUpdate(schema, className, update);
       return collection.findOneAndUpdate(mongoWhere, mongoUpdate);
     })
     .then(result => {
@@ -298,16 +291,9 @@ DatabaseController.prototype.destroy = function(className, query, options = {})
     })
     .then(() => this.adaptiveCollection(className))
     .then(collection => {
-      let mongoWhere = transform.transformWhere(schema, className, query);
-
+      let mongoWhere = this.adapter.transform.transformWhere(schema, className, query, options);
       if (options.acl) {
-        var writePerms = [
-          { _wperm: { '$exists': false } }
-        ];
-        for (var entry of options.acl) {
-          writePerms.push({ _wperm: { '$in': [entry] } });
-        }
-        mongoWhere = { '$and': [mongoWhere, { '$or': writePerms }] };
+        mongoWhere = this.adapter.transform.addWriteACL(mongoWhere, options.acl);
       }
       return collection.deleteMany(mongoWhere);
     })
@@ -343,7 +329,7 @@ DatabaseController.prototype.create = function(className, object, options) {
     .then(() => this.handleRelationUpdates(className, null, object))
     .then(() => this.adaptiveCollection(className))
     .then(coll => {
-      var mongoObject = transform.transformCreate(schema, className, object);
+      var mongoObject = this.adapter.transform.transformCreate(schema, className, object);
       return coll.insertOne(mongoObject);
     })
     .then(result => {
@@ -537,7 +523,7 @@ DatabaseController.prototype.find = function(className, query, options = {}) {
     if (options.sort) {
       mongoOptions.sort = {};
       for (var key in options.sort) {
-        var mongoKey = transform.transformKey(schema, className, key);
+        var mongoKey = this.adapter.transform.transformKey(schema, className, key);
         mongoOptions.sort[mongoKey] = options.sort[key];
       }
     }
@@ -558,16 +544,9 @@ DatabaseController.prototype.find = function(className, query, options = {}) {
   }).then(() => {
     return this.adaptiveCollection(className);
   }).then(collection => {
-    var mongoWhere = transform.transformWhere(schema, className, query);
+    var mongoWhere = this.adapter.transform.transformWhere(schema, className, query);
     if (!isMaster) {
-      var orParts = [
-        {"_rperm" : { "$exists": false }},
-        {"_rperm" : { "$in" : ["*"]}}
-      ];
-      for (var acl of aclGroup) {
-        orParts.push({"_rperm" : { "$in" : [acl]}});
-      }
-      mongoWhere = {'$and': [mongoWhere, {'$or': orParts}]};
+      mongoWhere = this.adapter.transform.addReadACL(mongoWhere, aclGroup);
     }
     if (options.count) {
       delete mongoOptions.limit;

src/Schema.js

@@ -15,7 +15,6 @@
 // TODO: hide all schema logic inside the database adapter.
 
 var Parse = require('parse/node').Parse;
-var transform = require('./transform');
 
 const defaultColumns = Object.freeze({
   // Contain the default columns for every parse object type (except _Join collection)
@@ -416,7 +415,7 @@ class Schema {
   // If 'freeze' is true, refuse to update the schema for this field.
   validateField(className, key, type, freeze) {
     // Just to check that the key is valid
-    transform.transformKey(this, className, key);
+    this._collection.transform.transformKey(this, className, key);
 
     if( key.indexOf(".") > 0 ) {
       // subdocument key (x.y) => ok if x is of type 'object'