Move validation logic into Parse Server and out of Mongo Adapter

Author: drew-gross

spec/MongoTransform.spec.js

@@ -191,13 +191,6 @@ describe('untransformObject', () => {
   });
 });
 
-describe('transformKeyValue', () => {
-  it('throws out _password', done => {
-    expect(() => transform.transformKeyValue(dummySchema, '_User', '_password', null, {validate: true})).toThrow();
-    done();
-  });
-});
-
 describe('transform schema key changes', () => {
 
   it('changes new pointer key', (done) => {

src/Adapters/Storage/Mongo/MongoTransform.js

@@ -71,9 +71,6 @@ function transformKeyValue(schema, className, restKey, restValue, {
     if (authDataMatch) {
       throw new Parse.Error(Parse.Error.INVALID_KEY_NAME, 'can only query on ' + key);
     }
-    if (validate && !key.match(/^[a-zA-Z][a-zA-Z0-9_\.]*$/)) {
-      throw new Parse.Error(Parse.Error.INVALID_KEY_NAME, 'invalid key name: ' + key);
-    }
   }
 
   // Handle special schema key changes

src/Controllers/DatabaseController.js

@@ -618,9 +618,23 @@ DatabaseController.prototype.find = function(className, query, {
   .then(schemaController => {
     if (sort) {
       mongoOptions.sort = {};
-      for (let key in sort) {
-        let mongoKey = this.transform.transformKeyValue(schemaController, className, key, null, {validate: true}).key;
-        mongoOptions.sort[mongoKey] = sort[key];
+      for (let fieldName in sort) {
+        // Parse.com treats queries on _created_at and _updated_at as if they were queries on createdAt and updatedAt,
+        // so duplicate that behaviour here.
+        if (fieldName === '_created_at') {
+          fieldName = 'createdAt';
+          sort['createdAt'] = sort['_created_at'];
+        }
+        if (fieldName === '_updated_at') {
+          fieldName = 'updatedAt';
+          sort['updatedAt'] = sort['_updated_at'];
+        }
+
+        if (!SchemaController.fieldNameIsValid(fieldName)) {
+          throw new Parse.Error(Parse.Error.INVALID_KEY_NAME, `Invalid field name: ${fieldName}.`);
+        }
+        let mongoKey = this.transform.transformKeyValue(schemaController, className, fieldName, null).key;
+        mongoOptions.sort[mongoKey] = sort[fieldName];
       }
     }
     return (isMaster ? Promise.resolve() : schemaController.validatePermission(className, aclGroup, op))

src/Controllers/SchemaController.js

@@ -466,15 +466,16 @@ class SchemaController {
   // If 'freeze' is true, refuse to update the schema for this field.
   validateField(className, fieldName, type, freeze) {
     return this.reloadData().then(() => {
-      // Just to check that the fieldName is valid
-      this._collection.transform.transformKeyValue(this, className, fieldName, null, {validate: true});
-
-      if( fieldName.indexOf(".") > 0 ) {
+      if (fieldName.indexOf(".") > 0) {
         // subdocument key (x.y) => ok if x is of type 'object'
         fieldName = fieldName.split(".")[ 0 ];
         type = 'Object';
       }
 
+      if (!fieldNameIsValid(fieldName)) {
+        throw new Parse.Error(Parse.Error.INVALID_KEY_NAME, `Invalid field name: ${fieldName}.`);
+      }
+
       let expected = this.data[className][fieldName];
       if (expected) {
         expected = (expected === 'map' ? 'Object' : expected);
@@ -847,6 +848,7 @@ function getObjectType(obj) {
 export {
   load,
   classNameIsValid,
+  fieldNameIsValid,
   invalidClassNameMessage,
   buildMergedSchemaObject,
   systemClasses,