fix2

Author: mtrezza

src/Controllers/DatabaseController.js

@@ -126,19 +126,8 @@ const filterSensitiveData = (
   schema: SchemaController.SchemaController | any,
   className: string,
   protectedFields: null | Array<any>,
-  object: any,
-  query: any = {}
+  object: any
 ) => {
-  if (!isMaster && !Array.isArray(protectedFields)) {
-    protectedFields = new DatabaseController().addProtectedFields(
-      schema,
-      className,
-      query,
-      aclGroup,
-      auth
-    );
-  }
-
   let userId = null;
   if (auth && auth.user) userId = auth.user.id;
 
@@ -1756,6 +1745,7 @@ class DatabaseController {
   }
 
   static _validateQuery: any => void;
+  static filterSensitiveData: (boolean, any[], any, any, any, string, any[], any) => void;
 }
 
 module.exports = DatabaseController;

src/LiveQuery/ParseLiveQueryServer.js

@@ -17,7 +17,7 @@ import {
   maybeRunAfterEventTrigger,
 } from '../triggers';
 import { getAuthForSessionToken, Auth } from '../Auth';
-import { getCacheController } from '../Controllers';
+import { getCacheController, getDatabaseController } from '../Controllers';
 import LRU from 'lru-cache';
 import UserRouter from '../Routers/UsersRouter';
 import DatabaseController from '../Controllers/DatabaseController';
@@ -553,16 +553,25 @@ class ParseLiveQueryServer {
       if (!obj) {
         return;
       }
+      let protectedFields = classLevelPermissions?.protectedFields || [];
+      if (!client.hasMasterKey && !Array.isArray(protectedFields)) {
+        protectedFields = getDatabaseController(this.config).addProtectedFields(
+          classLevelPermissions,
+          res.object.className,
+          query,
+          aclGroup,
+          clientAuth
+        );
+      }
       return DatabaseController.filterSensitiveData(
         client.hasMasterKey,
         aclGroup,
         clientAuth,
         op,
         classLevelPermissions,
         res.object.className,
-        classLevelPermissions?.protectedFields,
-        obj,
-        query
+        protectedFields,
+        obj
       );
     };
     res.object = filter(res.object);