CLP objectId size validation fix (#6332)

* Relax regex for customId ; allow varying id length

* test

* remove trycatch, fix typo

* de-duplicate test names; test pointer targetclass

* fixed early return; detailed errors for protected

Author: BufferUnderflower

spec/PointerPermissions.spec.js

@@ -399,7 +399,7 @@ describe('Pointer Permissions', () => {
         });
     });
 
-    it('should prevent creating pointer permission on bad field', done => {
+    it('should prevent creating pointer permission on bad field (of wrong type)', done => {
       const config = Config.get(Parse.applicationId);
       config.database
         .loadSchema()
@@ -426,7 +426,34 @@ describe('Pointer Permissions', () => {
         });
     });
 
-    it('should prevent creating pointer permission on bad field', done => {
+    it('should prevent creating pointer permission on bad field (non-user pointer)', done => {
+      const config = Config.get(Parse.applicationId);
+      config.database
+        .loadSchema()
+        .then(schema => {
+          return schema.addClassIfNotExists(
+            'AnObject',
+            { owner: { type: 'Pointer', targetClass: '_Session' } },
+            {
+              create: {},
+              writeUserFields: ['owner'],
+              readUserFields: ['owner'],
+            }
+          );
+        })
+        .then(() => {
+          fail('should not succeed');
+        })
+        .catch(err => {
+          expect(err.code).toBe(107);
+          expect(err.message).toBe(
+            "'owner' is not a valid column for class level pointer permissions writeUserFields"
+          );
+          done();
+        });
+    });
+
+    it('should prevent creating pointer permission on bad field (non-existing)', done => {
       const config = Config.get(Parse.applicationId);
       const object = new Parse.Object('AnObject');
       object.set('owner', 'value');
@@ -984,7 +1011,7 @@ describe('Pointer Permissions', () => {
         );
     });
 
-    it('should fail with invalid pointer perms', done => {
+    it('should fail with invalid pointer perms (not array)', done => {
       const config = Config.get(Parse.applicationId);
       config.database
         .loadSchema()
@@ -1002,7 +1029,7 @@ describe('Pointer Permissions', () => {
         });
     });
 
-    it('should fail with invalid pointer perms', done => {
+    it('should fail with invalid pointer perms (non-existing field)', done => {
       const config = Config.get(Parse.applicationId);
       config.database
         .loadSchema()
@@ -1398,7 +1425,7 @@ describe('Pointer Permissions', () => {
       }
     });
 
-    it('should prevent creating pointer permission on bad field', async done => {
+    it('should prevent creating pointer permission on bad field (of wrong type)', async done => {
       const config = Config.get(Parse.applicationId);
       const schema = await config.database.loadSchema();
       try {
@@ -1421,7 +1448,7 @@ describe('Pointer Permissions', () => {
       }
     });
 
-    it('should prevent creating pointer permission on bad field', async done => {
+    it('should prevent creating pointer permission on bad field (non-existing)', async done => {
       const config = Config.get(Parse.applicationId);
       const object = new Parse.Object('AnObject');
       object.set('owners', 'value');
@@ -1955,7 +1982,7 @@ describe('Pointer Permissions', () => {
       }
     });
 
-    it('should fail with invalid pointer perms', async done => {
+    it('should fail with invalid pointer perms (not array)', async done => {
       const config = Config.get(Parse.applicationId);
       const schema = await config.database.loadSchema();
       try {
@@ -1971,7 +1998,7 @@ describe('Pointer Permissions', () => {
       }
     });
 
-    it('should fail with invalid pointer perms', async done => {
+    it('should fail with invalid pointer perms (non-existing field)', async done => {
       const config = Config.get(Parse.applicationId);
       const schema = await config.database.loadSchema();
       try {

spec/Schema.spec.js

@@ -1665,7 +1665,7 @@ describe('Class Level Permissions for requiredAuth', () => {
       );
   });
 
-  it('required auth test create/get/update/delete not authenitcated', done => {
+  it('required auth test get not authenitcated', done => {
     config.database
       .loadSchema()
       .then(schema => {
@@ -1677,12 +1677,6 @@ describe('Class Level Permissions for requiredAuth', () => {
           get: {
             requiresAuthentication: true,
           },
-          delete: {
-            requiresAuthentication: true,
-          },
-          update: {
-            requiresAuthentication: true,
-          },
           create: {
             '*': true,
           },
@@ -1710,7 +1704,7 @@ describe('Class Level Permissions for requiredAuth', () => {
       );
   });
 
-  it('required auth test create/get/update/delete not authenitcated', done => {
+  it('required auth test find not authenitcated', done => {
     config.database
       .loadSchema()
       .then(schema => {
@@ -1722,12 +1716,6 @@ describe('Class Level Permissions for requiredAuth', () => {
           find: {
             requiresAuthentication: true,
           },
-          delete: {
-            requiresAuthentication: true,
-          },
-          update: {
-            requiresAuthentication: true,
-          },
           create: {
             '*': true,
           },

spec/schemas.spec.js

@@ -1835,46 +1835,94 @@ describe('schemas', () => {
     });
   });
 
-  it('should throw with invalid userId (>10 chars)', done => {
-    request({
+  it('should aceept class-level permission with userid of any length', async done => {
+    await global.reconfigureServer({
+      customIdSize: 11,
+    });
+
+    const id = 'e1evenChars';
+
+    const { data } = await request({
       method: 'POST',
       url: 'http://localhost:8378/1/schemas/AClass',
       headers: masterKeyHeaders,
       json: true,
       body: {
         classLevelPermissions: {
           find: {
-            '1234567890A': true,
+            [id]: true,
           },
         },
       },
-    }).then(fail, response => {
-      expect(response.data.error).toEqual(
-        "'1234567890A' is not a valid key for class level permissions"
-      );
-      done();
     });
+
+    expect(data.classLevelPermissions.find[id]).toBe(true);
+
+    done();
   });
 
-  it('should throw with invalid userId (<10 chars)', done => {
-    request({
+  it('should allow set class-level permission for custom userid of any length and chars', async done => {
+    await global.reconfigureServer({
+      allowCustomObjectId: true,
+    });
+
+    const symbolsId = 'set:ID+symbol$=@llowed';
+    const shortId = '1';
+    const { data } = await request({
       method: 'POST',
       url: 'http://localhost:8378/1/schemas/AClass',
       headers: masterKeyHeaders,
       json: true,
       body: {
         classLevelPermissions: {
           find: {
-            a12345678: true,
+            [symbolsId]: true,
+            [shortId]: true,
           },
         },
       },
-    }).then(fail, response => {
-      expect(response.data.error).toEqual(
-        "'a12345678' is not a valid key for class level permissions"
-      );
-      done();
     });
+
+    expect(data.classLevelPermissions.find[symbolsId]).toBe(true);
+    expect(data.classLevelPermissions.find[shortId]).toBe(true);
+
+    done();
+  });
+
+  it('should allow set ACL for custom userid', async done => {
+    await global.reconfigureServer({
+      allowCustomObjectId: true,
+    });
+
+    const symbolsId = 'symbols:id@allowed=';
+    const shortId = '1';
+    const normalId = 'tensymbols';
+
+    const { data } = await request({
+      method: 'POST',
+      url: 'http://localhost:8378/1/classes/AClass',
+      headers: masterKeyHeaders,
+      json: true,
+      body: {
+        ACL: {
+          [symbolsId]: { read: true, write: true },
+          [shortId]: { read: true, write: true },
+          [normalId]: { read: true, write: true },
+        },
+      },
+    });
+
+    const { data: created } = await request({
+      method: 'GET',
+      url: `http://localhost:8378/1/classes/AClass/${data.objectId}`,
+      headers: masterKeyHeaders,
+      json: true,
+    });
+
+    expect(created.ACL[normalId].write).toBe(true);
+    expect(created.ACL[symbolsId].write).toBe(true);
+    expect(created.ACL[shortId].write).toBe(true);
+    done();
   });
 
   it('should throw with invalid userId (invalid char)', done => {