wip

Author: flovilmart

spec/JobSchedule.spec.js

@@ -0,0 +1,22 @@
+
+describe('JobSchedule', () => {
+  it('should create _JobSchedule with masterKey', (done) => {
+    const jobSchedule = new Parse.Object('_JobSchedule');
+    jobSchedule.set({
+      'jobName': 'MY Cool Job'
+    });
+    jobSchedule.save(null,  {useMasterKey: true}).then(() => {
+      done();
+    })
+    .catch(done.fail);
+  });
+
+  it('should fail creating _JobSchedule without masterKey', (done) => {
+    const jobSchedule = new Parse.Object('_JobSchedule');
+    jobSchedule.set({
+      'jobName': 'SomeJob'
+    });
+    jobSchedule.save(null).then(done.fail)
+    .catch(done);
+  });
+});

src/rest.js

@@ -134,8 +134,15 @@ function update(config, auth, className, restWhere, restObject, clientSDK) {
   });
 }
 
+const classesWithMasterOnlyAccess = ['_PushStatus', '_Hooks', '_GlobalConfig', '_JobStatus', '_JobSchedule'];
 // Disallowing access to the _Role collection except by master key
 function enforceRoleSecurity(method, className, auth) {
+  if (classesWithMasterOnlyAccess.indexOf(className) > -1 && !auth.isMaster) {
+    const error = new Error();
+    error.status = 403;
+    error.message = "unauthorized: master key is required";
+    throw error;
+  }
   if (className === '_Installation' && !auth.isMaster) {
     if (method === 'delete' || method === 'find') {
       const error = `Clients aren't allowed to perform the ${method} operation on the installation collection.`