requiresAuthentication is self-sufficient for ACL's (#3784)

flovilmart · web-flow · commit 10c7cb0bfa74 · 2017-05-11T11:09:06.000-04:00
* Adds test to reproduce issue #3753 * Consider requiresAuthentication as the same level as other CLP * Better testing
diff --git a/spec/Schema.spec.js b/spec/Schema.spec.js
@@ -1215,4 +1215,57 @@ describe('Class Level Permissions for requiredAuth', () => {
       done();
     });
   });
+
+  it('required auth test create/get/update/delete with roles (#3753)', (done) => {
+    let user;
+    config.database.loadSchema().then((schema) => {
+      // Just to create a valid class
+      return schema.validateObject('Stuff', {foo: 'bar'});
+    }).then((schema) => {
+      return schema.setPermissions('Stuff', {
+        'find': {
+          'requiresAuthentication': true,
+          'role:admin': true
+        },
+        'create': { 'role:admin': true },
+        'update': { 'role:admin': true },
+        'delete': { 'role:admin': true },
+        'get': {
+          'requiresAuthentication': true,
+          'role:admin': true
+        }
+      });
+    }).then(() => {
+      const stuff = new Parse.Object('Stuff');
+      stuff.set('foo', 'bar');
+      return stuff.save(null, {useMasterKey: true}).then(() => {
+        const query = new Parse.Query('Stuff');
+        return query.get(stuff.id).then(() => {
+          done.fail('should not succeed');
+        }, () => {
+          return new Parse.Query('Stuff').find();
+        }).then(() => {
+          done.fail('should not succeed');
+        }, () => {
+          return Promise.resolve();
+        });
+      }).then(() => {
+        return Parse.User.signUp('user', 'password').then((signedUpUser) => {
+          user = signedUpUser;
+          const query = new Parse.Query('Stuff');
+          return query.get(stuff.id, {sessionToken: user.getSessionToken()});
+        });
+      });
+    }).then((result) => {
+      expect(result.get('foo')).toEqual('bar');
+      const query = new Parse.Query('Stuff');
+      return query.find({sessionToken: user.getSessionToken()});
+    }).then((results) => {
+      expect(results.length).toBe(1);
+      done();
+    }, (e) => {
+      console.error(e);
+      done.fail(e);
+    });
+  });
 })
diff --git a/src/Controllers/SchemaController.js b/src/Controllers/SchemaController.js
@@ -813,11 +813,9 @@ export default class SchemaController {
         throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND,
         'Permission denied, user needs to be authenticated.');
       }
-      // no other CLP than requiresAuthentication
-      // let's resolve that!
-      if (Object.keys(perms).length == 1) {
-        return Promise.resolve();
-      }
+      // requiresAuthentication passed, just move forward
+      // probably would be wise at some point to rename to 'authenticatedUser'
+      return Promise.resolve();
     }
 
     // No matching CLP, let's check the Pointer permissions

Original file line number	Diff line number	Diff line change
`@@ -813,11 +813,9 @@ export default class SchemaController {`
`813`	`813`	`throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND,`
`814`	`814`	`'Permission denied, user needs to be authenticated.');`
`815`	`815`	`}`
`816`		`- // no other CLP than requiresAuthentication`
`817`		`- // let's resolve that!`
`818`		`- if (Object.keys(perms).length == 1) {`
`819`		`- return Promise.resolve();`
`820`		`- }`
	`816`	`+ // requiresAuthentication passed, just move forward`
	`817`	`+ // probably would be wise at some point to rename to 'authenticatedUser'`
	`818`	`+ return Promise.resolve();`
`821`	`819`	`}`
`822`	`820`
`823`	`821`	`// No matching CLP, let's check the Pointer permissions`