review changes

Author: dblythy

spec/ParseFile.spec.js

@@ -860,7 +860,8 @@ describe('Parse.File testing', () => {
       });
     });
   });
-  describe('file upload restrictions', () => {
+
+  describe('disable file upload', () => {
     it('can reject file upload with unspecified', async () => {
       await reconfigureServer({
         fileUpload: {},
@@ -871,15 +872,16 @@ describe('Parse.File testing', () => {
         fail('should not have been able to save file.');
       } catch (e) {
         expect(e.code).toBe(130);
-        expect(e.message).toBe('Public file upload is not enabled.');
+        expect(e.message).toBe('File upload by public is not enabled.');
       }
     });
-    it('disable file upload', async () => {
+
+    it('disable all file upload', async () => {
       await reconfigureServer({
         fileUpload: {
-          enabledForPublic: false,
-          enabledForAnonymousUser: false,
-          enabledForAuthenticatedUser: false,
+          enableForPublic: false,
+          enableForAnonymousUser: false,
+          enableForAuthenticatedUser: false,
         },
       });
       try {
@@ -888,13 +890,14 @@ describe('Parse.File testing', () => {
         fail('should not have been able to save file.');
       } catch (e) {
         expect(e.code).toBe(130);
-        expect(e.message).toBe('Public file upload is not enabled.');
+        expect(e.message).toBe('File upload by public is not enabled.');
       }
     });
-    it('disable for public', async () => {
+
+    it('disable public file upload', async () => {
       await reconfigureServer({
         fileUpload: {
-          enabledForPublic: false,
+          enableForPublic: false,
         },
       });
       try {
@@ -903,14 +906,15 @@ describe('Parse.File testing', () => {
         fail('should not have been able to save file.');
       } catch (e) {
         expect(e.code).toBe(130);
-        expect(e.message).toBe('Public file upload is not enabled.');
+        expect(e.message).toBe('File upload by public is not enabled.');
       }
     });
 
-    it('disable for public allow user', async () => {
+    it('disable file upload for public but allow for user', async () => {
       await reconfigureServer({
         fileUpload: {
-          enabledForPublic: false,
+          enableForPublic: false,
+          enableForAuthenticatedUser: true,
         },
       });
       try {
@@ -922,10 +926,10 @@ describe('Parse.File testing', () => {
       }
     });
 
-    it('disable for anonymous', async () => {
+    it('disable file upload for anonymous', async () => {
       await reconfigureServer({
         fileUpload: {
-          enabledForAnonymousUser: false,
+          enableForAnonymousUser: false,
         },
       });
       try {
@@ -935,15 +939,15 @@ describe('Parse.File testing', () => {
         fail('should not have been able to save file.');
       } catch (e) {
         expect(e.code).toBe(130);
-        expect(e.message).toBe('Anonymous file upload is not enabled.');
+        expect(e.message).toBe('File upload by anonymous user is not allowed.');
       }
     });
 
-    it('enable for anonymous', async () => {
+    it('enable file upload for anonymous', async () => {
       await reconfigureServer({
         fileUpload: {
-          enabledForPublic: false,
-          enabledForAnonymousUser: true,
+          enableForPublic: false,
+          enableForAnonymousUser: true,
         },
       });
       try {
@@ -955,12 +959,12 @@ describe('Parse.File testing', () => {
       }
     });
 
-    it('enable for anonymous but not authenticated', async () => {
+    it('enable file upload for anonymous but not authenticated users', async () => {
       await reconfigureServer({
         fileUpload: {
-          enabledForPublic: false,
-          enabledForAnonymousUser: true,
-          enabledForAuthenticatedUser: false,
+          enableForPublic: false,
+          enableForAnonymousUser: true,
+          enableForAuthenticatedUser: false,
         },
       });
       try {
@@ -977,8 +981,41 @@ describe('Parse.File testing', () => {
         fail('should have not allowed file to save.');
       } catch (e) {
         expect(e.code).toBe(130);
-        expect(e.message).toBe('Authenticated file upload is not enabled.');
+        expect(e.message).toBe('File upload by authenticated users is not enabled.');
       }
     });
   });
+
+  it('setup with invalid configuration', async () => {
+    try {
+      await reconfigureServer({
+        fileUpload: {
+          enableForPublic: [],
+        },
+      });
+      fail('should not allow invalid configuration');
+    } catch (e) {
+      expect(e).toBe('enableForPublic must be a boolean value');
+    }
+    try {
+      await reconfigureServer({
+        fileUpload: {
+          enableForAnonymousUser: [],
+        },
+      });
+      fail('should not allow invalid configuration');
+    } catch (e) {
+      expect(e).toBe('enableForAnonymousUser must be a boolean value');
+    }
+    try {
+      await reconfigureServer({
+        fileUpload: {
+          enableForAuthenticatedUser: [],
+        },
+      });
+      fail('should not allow invalid configuration');
+    } catch (e) {
+      expect(e).toBe('enableForAuthenticatedUser must be a boolean value');
+    }
+  });
 });

spec/helper.js

@@ -89,7 +89,7 @@ const defaultConfiguration = {
   silent,
   logLevel,
   fileUpload: {
-    enabledForPublic: true,
+    enableForPublic: true,
   },
   push: {
     android: {

src/Config.js

@@ -71,6 +71,7 @@ export class Config {
     allowHeaders,
     idempotencyOptions,
     emailVerifyTokenReuseIfValid,
+    fileUpload,
   }) {
     if (masterKey === readOnlyMasterKey) {
       throw new Error('masterKey and readOnlyMasterKey should be different');
@@ -91,6 +92,8 @@ export class Config {
 
     this.validatePasswordPolicy(passwordPolicy);
 
+    this.validateFileUploadOptions(fileUpload);
+
     if (typeof revokeSessionOnPasswordReset !== 'boolean') {
       throw 'revokeSessionOnPasswordReset must be a boolean value';
     }
@@ -244,7 +247,25 @@ export class Config {
       throw 'You cannot use emailVerifyTokenReuseIfValid without emailVerifyTokenValidityDuration';
     }
   }
+  static validateFileUploadOptions(fileUpload) {
+    if (
+      fileUpload.enableForAnonymousUser &&
+      typeof fileUpload.enableForAnonymousUser !== 'boolean'
+    ) {
+      throw 'enableForAnonymousUser must be a boolean value';
+    }
+
+    if (fileUpload.enableForPublic && typeof fileUpload.enableForPublic !== 'boolean') {
+      throw 'enableForPublic must be a boolean value';
+    }
 
+    if (
+      fileUpload.enableForAuthenticatedUser &&
+      typeof fileUpload.enableForAuthenticatedUser !== 'boolean'
+    ) {
+      throw 'enableForAuthenticatedUser must be a boolean value';
+    }
+  }
   static validateMasterKeyIps(masterKeyIps) {
     for (const ip of masterKeyIps) {
       if (!net.isIP(ip)) {

src/Options/Definitions.js

@@ -606,22 +606,21 @@ module.exports.PasswordPolicyOptions = {
   },
 };
 module.exports.FileUploadOptions = {
-  enabledForAnonymousUser: {
-    env: 'PARSE_SERVER_FILE_UPLOAD_ENABLED_FOR_ANONYMOUS_USER',
-    help: 'File upload is enabled for Anonymous Users.',
+  enableForAnonymousUser: {
+    env: 'PARSE_SERVER_FILE_UPLOAD_ENABLE_FOR_ANONYMOUS_USER',
+    help: 'Is true if file upload should be allowed for anonymous users.',
     action: parsers.booleanParser,
     default: false,
   },
-  enabledForAuthenticatedUser: {
-    env: 'PARSE_SERVER_FILE_UPLOAD_ENABLED_FOR_AUTHENTICATED_USER',
-    help: 'File upload is enabled for authenticated users.',
+  enableForAuthenticatedUser: {
+    env: 'PARSE_SERVER_FILE_UPLOAD_ENABLE_FOR_AUTHENTICATED_USER',
+    help: 'Is true if file upload should be allowed for authenticated users.',
     action: parsers.booleanParser,
-    default: true,
+    default: false,
   },
-  enabledForPublic: {
-    env: 'PARSE_SERVER_FILE_UPLOAD_ENABLED_FOR_PUBLIC',
-    help:
-      'File upload is enabled for anyone with access to the Parse Server file upload endpoint, regardless of user authentication.',
+  enableForPublic: {
+    env: 'PARSE_SERVER_FILE_UPLOAD_ENABLE_FOR_PUBLIC',
+    help: 'Is true if file upload should be allowed for anyone, regardless of user authentication.',
     action: parsers.booleanParser,
     default: false,
   },

src/Options/docs.js

@@ -141,7 +141,7 @@
 
 /**
  * @interface FileUploadOptions
- * @property {Boolean} enabledForAnonymousUser File upload is enabled for Anonymous Users.
- * @property {Boolean} enabledForAuthenticatedUser File upload is enabled for authenticated users.
- * @property {Boolean} enabledForPublic File upload is enabled for anyone with access to the Parse Server file upload endpoint, regardless of user authentication.
+ * @property {Boolean} enableForAnonymousUser Is true if file upload should be allowed for anonymous users.
+ * @property {Boolean} enableForAuthenticatedUser Is true if file upload should be allowed for authenticated users.
+ * @property {Boolean} enableForPublic Is true if file upload should be allowed for anyone, regardless of user authentication.
  */

src/Options/index.js

@@ -320,13 +320,13 @@ export interface PasswordPolicyOptions {
 }
 
 export interface FileUploadOptions {
-  /* File upload is enabled for Anonymous Users.
+  /*  Is true if file upload should be allowed for anonymous users.
   :DEFAULT: false */
-  enabledForAnonymousUser: ?boolean;
-  /* File upload is enabled for anyone with access to the Parse Server file upload endpoint, regardless of user authentication.
+  enableForAnonymousUser: ?boolean;
+  /* Is true if file upload should be allowed for authenticated users.
   :DEFAULT: false */
-  enabledForPublic: ?boolean;
-  /* File upload is enabled for authenticated users.
-  :DEFAULT: true */
-  enabledForAuthenticatedUser: ?boolean;
+  enableForAuthenticatedUser: ?boolean;
+  /* Is true if file upload should be allowed for anyone, regardless of user authentication.
+  :DEFAULT: false */
+  enableForPublic: ?boolean;
 }

src/Routers/FilesRouter.js

@@ -94,27 +94,28 @@ export class FilesRouter {
 
   async createHandler(req, res, next) {
     const config = req.config;
-    if (
-      !req.config.fileUpload.enabledForAnonymousUser &&
-      req.auth.user &&
-      Parse.AnonymousUtils.isLinked(req.auth.user)
-    ) {
-      next(new Parse.Error(Parse.Error.FILE_SAVE_ERROR, 'Anonymous file upload is not enabled.'));
+    const user = req.auth.user;
+    const isLinked = user && Parse.AnonymousUtils.isLinked(user);
+    if (!config.fileUpload.enableForAnonymousUser && isLinked) {
+      next(
+        new Parse.Error(
+          Parse.Error.FILE_SAVE_ERROR,
+          'File upload by anonymous user is not allowed.'
+        )
+      );
       return;
     }
-    if (
-      !req.config.fileUpload.enabledForAuthenticatedUser &&
-      req.config.fileUpload.enabledForAuthenticatedUser != null &&
-      req.auth.user &&
-      !Parse.AnonymousUtils.isLinked(req.auth.user)
-    ) {
+    if (!config.fileUpload.enableForAuthenticatedUser && !isLinked && user) {
       next(
-        new Parse.Error(Parse.Error.FILE_SAVE_ERROR, 'Authenticated file upload is not enabled.')
+        new Parse.Error(
+          Parse.Error.FILE_SAVE_ERROR,
+          'File upload by authenticated users is not enabled.'
+        )
       );
       return;
     }
-    if (!req.config.fileUpload.enabledForPublic && !req.auth.user) {
-      next(new Parse.Error(Parse.Error.FILE_SAVE_ERROR, 'Public file upload is not enabled.'));
+    if (!config.fileUpload.enableForPublic && !user) {
+      next(new Parse.Error(Parse.Error.FILE_SAVE_ERROR, 'File upload by public is not enabled.'));
       return;
     }
     const filesController = config.filesController;