feat: Add default ACL

spec/MongoSchemaCollectionAdapter.spec.js

@@ -18,6 +18,12 @@ describe('MongoSchemaCollection', () => {
         },
         _metadata: {
           class_permissions: {
+            ACL: {
+              '*': {
+                read: true,
+                write: true,
+              },
+            },
             get: { '*': true },
             find: { '*': true },
             count: { '*': true },
@@ -69,6 +75,12 @@ describe('MongoSchemaCollection', () => {
         objectId: { type: 'String' },
       },
       classLevelPermissions: {
+        ACL: {
+          '*': {
+            read: true,
+            write: true,
+          },
+        },
         find: { '*': true },
         get: { '*': true },
         count: { '*': true },

spec/ParseACL.spec.js

@@ -923,4 +923,32 @@ describe('Parse.ACL', () => {
 
     rest.create(config, auth.nobody(config), '_User', anonUser);
   });
+
+  it('support defaultACL in schema', async () => {
+    await new Parse.Object('TestObject').save();
+    const schema = await Parse.Server.database.loadSchema();
+    await schema.updateClass(
+      'TestObject',
+      {},
+      {
+        create: {
+          '*': true,
+        },
+        ACL: {
+          '*': { read: true },
+          currentUser: { read: true, write: true },
+        },
+      }
+    );
+    const acls = new Parse.ACL();
+    acls.setPublicReadAccess(true);
+    const user = await Parse.User.signUp('testuser', 'p@ssword');
+    const obj = new Parse.Object('TestObject');
+    await obj.save(null, { sessionToken: user.getSessionToken() });
+    expect(obj.getACL()).toBeDefined();
+    const acl = obj.getACL().toJSON();
+    expect(acl['*']).toEqual({ read: true });
+    expect(acl[user.id].write).toBeTrue();
+    expect(acl[user.id].read).toBeTrue();
+  });
 });

spec/Schema.spec.js

@@ -309,6 +309,12 @@ describe('SchemaController', () => {
             foo: { type: 'String' },
           },
           classLevelPermissions: {
+            ACL: {
+              '*': {
+                read: true,
+                write: true,
+              },
+            },
             find: { '*': true },
             get: { '*': true },
             count: { '*': true },
@@ -329,6 +335,12 @@ describe('SchemaController', () => {
 
   it('can update classes without needing an object', done => {
     const levelPermissions = {
+      ACL: {
+        '*': {
+          read: true,
+          write: true,
+        },
+      },
       find: { '*': true },
       get: { '*': true },
       count: { '*': true },
@@ -489,6 +501,12 @@ describe('SchemaController', () => {
             foo: { type: 'String' },
           },
           classLevelPermissions: {
+            ACL: {
+              '*': {
+                read: true,
+                write: true,
+              },
+            },
             find: { '*': true },
             get: { '*': true },
             count: { '*': true },
@@ -694,6 +712,12 @@ describe('SchemaController', () => {
 
   it('refuses to add CLP with incorrect find', done => {
     const levelPermissions = {
+      ACL: {
+        '*': {
+          read: true,
+          write: true,
+        },
+      },
       find: { '*': false },
       get: { '*': true },
       create: { '*': true },
@@ -717,6 +741,12 @@ describe('SchemaController', () => {
 
   it('refuses to add CLP when incorrectly sending a string to protectedFields object value instead of an array', done => {
     const levelPermissions = {
+      ACL: {
+        '*': {
+          read: true,
+          write: true,
+        },
+      },
       find: { '*': true },
       get: { '*': true },
       create: { '*': true },
@@ -785,6 +815,12 @@ describe('SchemaController', () => {
             aPolygon: { type: 'Polygon' },
           },
           classLevelPermissions: {
+            ACL: {
+              '*': {
+                read: true,
+                write: true,
+              },
+            },
             find: { '*': true },
             get: { '*': true },
             count: { '*': true },
@@ -832,6 +868,12 @@ describe('SchemaController', () => {
             parseVersion: { type: 'String' },
           },
           classLevelPermissions: {
+            ACL: {
+              '*': {
+                read: true,
+                write: true,
+              },
+            },
             find: { '*': true },
             get: { '*': true },
             count: { '*': true },
@@ -866,6 +908,12 @@ describe('SchemaController', () => {
             roles: { type: 'Relation', targetClass: '_Role' },
           },
           classLevelPermissions: {
+            ACL: {
+              '*': {
+                read: true,
+                write: true,
+              },
+            },
             find: { '*': true },
             get: { '*': true },
             count: { '*': true },
@@ -900,6 +948,12 @@ describe('SchemaController', () => {
             ACL: { type: 'ACL' },
           },
           classLevelPermissions: {
+            ACL: {
+              '*': {
+                read: true,
+                write: true,
+              },
+            },
             find: { '*': true },
             get: { '*': true },
             count: { '*': true },
@@ -1070,6 +1124,12 @@ describe('SchemaController', () => {
               relationField: { type: 'Relation', targetClass: '_User' },
             },
             classLevelPermissions: {
+              ACL: {
+                '*': {
+                  read: true,
+                  write: true,
+                },
+              },
               find: { '*': true },
               get: { '*': true },
               count: { '*': true },

spec/SchemaPerformance.spec.js

@@ -167,6 +167,12 @@ describe('Schema Performance', function () {
     await schema.reloadData();
 
     const levelPermissions = {
+      ACL: {
+        '*': {
+          read: true,
+          write: true,
+        },
+      },
       find: { '*': true },
       get: { '*': true },
       create: { '*': true },

spec/schemas.spec.js

@@ -26,6 +26,12 @@ const hasAllPODobject = () => {
 };
 
 const defaultClassLevelPermissions = {
+  ACL: {
+    '*': {
+      read: true,
+      write: true,
+    },
+  },
   find: {
     '*': true,
   },
@@ -2058,12 +2064,70 @@ describe('schemas', () => {
       },
     }).then(fail, response => {
       expect(response.data.error).toEqual(
-        "'1' is not a valid value for class level permissions find:*:1"
+        "'1' is not a valid value for class level permissions acl find:*"
       );
       done();
     });
   });
 
+  it('should validate defaultAcl with class level permissions when request is not an object', async () => {
+    const response = await request({
+      method: 'POST',
+      url: 'http://localhost:8378/1/schemas/AClass',
+      headers: masterKeyHeaders,
+      json: true,
+      body: {
+        classLevelPermissions: {
+          ACL: {
+            '*': true,
+          },
+        },
+      },
+    }).catch(error => error.data);
+
+    expect(response.error).toEqual(`'true' is not a valid value for class level permissions acl`);
+  });
+
+  it('should validate defaultAcl with class level permissions when request is an object and invalid key', async () => {
+    const response = await request({
+      method: 'POST',
+      url: 'http://localhost:8378/1/schemas/AClass',
+      headers: masterKeyHeaders,
+      json: true,
+      body: {
+        classLevelPermissions: {
+          ACL: {
+            '*': {
+              foo: true,
+            },
+          },
+        },
+      },
+    }).catch(error => error.data);
+
+    expect(response.error).toEqual(`'foo' is not a valid key for class level permissions acl`);
+  });
+
+  it('should validate defaultAcl with class level permissions when request is an object and invalid value', async () => {
+    const response = await request({
+      method: 'POST',
+      url: 'http://localhost:8378/1/schemas/AClass',
+      headers: masterKeyHeaders,
+      json: true,
+      body: {
+        classLevelPermissions: {
+          ACL: {
+            '*': {
+              read: 1,
+            },
+          },
+        },
+      },
+    }).catch(error => error.data);
+
+    expect(response.error).toEqual(`'1' is not a valid value for class level permissions acl`);
+  });
+
   it('should throw if permission is empty string', done => {
     request({
       method: 'POST',
@@ -2079,7 +2143,7 @@ describe('schemas', () => {
       },
     }).then(fail, response => {
       expect(response.data.error).toEqual(
-        "'' is not a valid value for class level permissions find:*:"
+        `'' is not a valid value for class level permissions acl find:*`
       );
       done();
     });
@@ -2690,6 +2754,12 @@ describe('schemas', () => {
     setPermissionsOnClass(
       '_Role',
       {
+        ACL: {
+          '*': {
+            read: true,
+            write: true,
+          },
+        },
         get: { '*': true },
         find: { '*': true },
         count: { '*': true },
@@ -2710,6 +2780,12 @@ describe('schemas', () => {
       })
       .then(res => {
         expect(res.data.classLevelPermissions).toEqual({
+          ACL: {
+            '*': {
+              read: true,
+              write: true,
+            },
+          },
           get: { '*': true },
           find: { '*': true },
           count: { '*': true },

src/Adapters/Storage/Mongo/MongoSchemaCollection.js

@@ -76,6 +76,12 @@ const emptyCLPS = Object.freeze({
 });
 
 const defaultCLPS = Object.freeze({
+  ACL: {
+    '*': {
+      read: true,
+      write: true,
+    },
+  },
   find: { '*': true },
   count: { '*': true },
   get: { '*': true },

src/Adapters/Storage/Postgres/PostgresStorageAdapter.js

@@ -127,6 +127,12 @@ const emptyCLPS = Object.freeze({
 });
 
 const defaultCLPS = Object.freeze({
+  ACL: {
+    '*': {
+      read: true,
+      write: true,
+    },
+  },
   find: { '*': true },
   get: { '*': true },
   count: { '*': true },

src/Controllers/SchemaController.js

@@ -255,6 +255,7 @@ function validateProtectedFieldsKey(key, userIdRegExp) {
 }
 
 const CLPValidKeys = Object.freeze([
+  'ACL',
   'find',
   'count',
   'get',
@@ -364,13 +365,34 @@ function validateCLP(perms: ClassLevelPermissions, fields: SchemaFields, userIdR
         continue;
       }
 
-      // or [entity]: boolean
       const permit = operation[entity];
 
-      if (permit !== true) {
+      if (operationKey === 'ACL') {
+        if (Object.prototype.toString.call(permit) !== '[object Object]') {
+          throw new Parse.Error(
+            Parse.Error.INVALID_JSON,
+            `'${permit}' is not a valid value for class level permissions acl`
+          );
+        }
+        const invalidKeys = Object.keys(permit).filter(key => !['read', 'write'].includes(key));
+        const invalidValues = Object.values(permit).filter(key => typeof key !== 'boolean');
+        if (invalidKeys.length) {
+          throw new Parse.Error(
+            Parse.Error.INVALID_JSON,
+            `'${invalidKeys.join(',')}' is not a valid key for class level permissions acl`
+          );
+        }
+
+        if (invalidValues.length) {
+          throw new Parse.Error(
+            Parse.Error.INVALID_JSON,
+            `'${invalidValues.join(',')}' is not a valid value for class level permissions acl`
+          );
+        }
+      } else if (permit !== true) {
         throw new Parse.Error(
           Parse.Error.INVALID_JSON,
-          `'${permit}' is not a valid value for class level permissions ${operationKey}:${entity}:${permit}`
+          `'${permit}' is not a valid value for class level permissions acl ${operationKey}:${entity}`
         );
       }
     }