-
-
Notifications
You must be signed in to change notification settings - Fork 594
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Aggregate query does not honor sessionToken
option if passed
#1393
Comments
While this is theoretically possible, it requires an enormous effort to parse the MongoDB aggregation syntax and interpret it correctly. It essentially requires to replicate the whole MongoDB aggregation parser in Parse Server. Given the versatility of aggregation and implied complexity, I would consider this highly unfeasible. Maybe consider aggregation queries as a form of "direct access" to the database that circumvents any Parse Server checks - and for that matter even most MongoDB Node.js driver checks. I'm closing this for now, we can always re-open if someone really wants to pick this up and start working on it. |
Just FYI maybe worth updating the docs as it says here its possible to use https://parseplatform.org/Parse-SDK-JS/api/master/Parse.Query.html#aggregate |
Would you want to open an issue or even just a quick PR? |
@mtrezza I can indeed, where do i find these docs ? I had a look around and found this repo but dont see anything related to the page i posted above https://github.com/parse-community/docs Also if i remove the only valid option for |
This is created in the Parse JS SDK API docs, as you can see in the URL, https://parseplatform.org/Parse-SDK-JS/api/master/Parse.Query.html#aggregate I wonder whether the option should actually be removed. Maybe the docs mean that the session token makes a ParseUser and/or the session token available in a Cloud Code trigger? But not sure if there are any triggers for aggregate queries? If so, we may only need to add a note that ACL / CLP are not applicable to aggregate queries. I think a look into the JS SDK and server code could give more insight here. |
Thanks for opening this issue!
|
Reopened, because the docs need to be adapted. |
New Issue Checklist
Issue Description
Aggregate query does not honor the
sessionToken
option.When passing a
sessionToken
it should only return objects that are readable by the user with that session token. Instead, the ACLs are ignored and all objects are returned.Specifically, I have a query that is retrieving all objects of a certain class. A non-aggregate query could use the session token to only return objects the user has read permissions for. In the aggregate query, all objects are returned regardless of permissions.
I know that aggregate queries are different from normal queries and it may be impossible for you to support this option, but if that is the case the
sessionToken
should not be listed as an option for the aggregate function on the docs for Parse.Query (https://parseplatform.org/Parse-SDK-JS/api/master/Parse.Query.html#aggregate).Steps to reproduce
Actual Outcome
The objects owned by the first user are returned as part of the results for the second user's query.
Expected Outcome
The objects owned by the first user should be excluded from the second user's query. Only objects the second user has read access to should be returned.
Environment
Server
4.5.0
Database
4.2.6
Client
3.3.0
Logs
The text was updated successfully, but these errors were encountered: