Skip to content

Commit

Permalink
CLP objectId size validation fix (#6332)
Browse files Browse the repository at this point in the history 
* Relax regex for customId ; allow varying id length

* test

* remove trycatch, fix typo

* de-duplicate test names; test pointer targetclass

* fixed early return; detailed errors for protected
  • Loading branch information
@BufferUnderflower @davimacedo
BufferUnderflower authored and davimacedo committed Jan 14, 2020
1 parent 9842c6e commit 2d257e2
Show file tree
Hide file tree
Showing 4 changed files with 221 additions and 84 deletions.
43 changes: 35 additions & 8 deletions spec/PointerPermissions.spec.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -399,7 +399,7 @@ describe('Pointer Permissions', () => {
});
});

it('should prevent creating pointer permission on bad field', done => {
it('should prevent creating pointer permission on bad field (of wrong type)', done => {
const config = Config.get(Parse.applicationId);
config.database
.loadSchema()
Expand All @@ -426,7 +426,34 @@ describe('Pointer Permissions', () => {
});
});

it('should prevent creating pointer permission on bad field', done => {
it('should prevent creating pointer permission on bad field (non-user pointer)', done => {
const config = Config.get(Parse.applicationId);
config.database
.loadSchema()
.then(schema => {
return schema.addClassIfNotExists(
'AnObject',
{ owner: { type: 'Pointer', targetClass: '_Session' } },
{
create: {},
writeUserFields: ['owner'],
readUserFields: ['owner'],
}
);
})
.then(() => {
fail('should not succeed');
})
.catch(err => {
expect(err.code).toBe(107);
expect(err.message).toBe(
"'owner' is not a valid column for class level pointer permissions writeUserFields"
);
done();
});
});

it('should prevent creating pointer permission on bad field (non-existing)', done => {
const config = Config.get(Parse.applicationId);
const object = new Parse.Object('AnObject');
object.set('owner', 'value');
Expand Down Expand Up @@ -984,7 +1011,7 @@ describe('Pointer Permissions', () => {
);
});

it('should fail with invalid pointer perms', done => {
it('should fail with invalid pointer perms (not array)', done => {
const config = Config.get(Parse.applicationId);
config.database
.loadSchema()
Expand All @@ -1002,7 +1029,7 @@ describe('Pointer Permissions', () => {
});
});

it('should fail with invalid pointer perms', done => {
it('should fail with invalid pointer perms (non-existing field)', done => {
const config = Config.get(Parse.applicationId);
config.database
.loadSchema()
Expand Down Expand Up @@ -1398,7 +1425,7 @@ describe('Pointer Permissions', () => {
}
});

it('should prevent creating pointer permission on bad field', async done => {
it('should prevent creating pointer permission on bad field (of wrong type)', async done => {
const config = Config.get(Parse.applicationId);
const schema = await config.database.loadSchema();
try {
Expand All @@ -1421,7 +1448,7 @@ describe('Pointer Permissions', () => {
}
});

it('should prevent creating pointer permission on bad field', async done => {
it('should prevent creating pointer permission on bad field (non-existing)', async done => {
const config = Config.get(Parse.applicationId);
const object = new Parse.Object('AnObject');
object.set('owners', 'value');
Expand Down Expand Up @@ -1955,7 +1982,7 @@ describe('Pointer Permissions', () => {
}
});

it('should fail with invalid pointer perms', async done => {
it('should fail with invalid pointer perms (not array)', async done => {
const config = Config.get(Parse.applicationId);
const schema = await config.database.loadSchema();
try {
Expand All @@ -1971,7 +1998,7 @@ describe('Pointer Permissions', () => {
}
});

it('should fail with invalid pointer perms', async done => {
it('should fail with invalid pointer perms (non-existing field)', async done => {
const config = Config.get(Parse.applicationId);
const schema = await config.database.loadSchema();
try {
Expand Down
16 changes: 2 additions & 14 deletions spec/Schema.spec.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1665,7 +1665,7 @@ describe('Class Level Permissions for requiredAuth', () => {
);
});

it('required auth test create/get/update/delete not authenitcated', done => {
it('required auth test get not authenitcated', done => {
config.database
.loadSchema()
.then(schema => {
Expand All @@ -1677,12 +1677,6 @@ describe('Class Level Permissions for requiredAuth', () => {
get: {
requiresAuthentication: true,
},
delete: {
requiresAuthentication: true,
},
update: {
requiresAuthentication: true,
},
create: {
'*': true,
},
Expand Down Expand Up @@ -1710,7 +1704,7 @@ describe('Class Level Permissions for requiredAuth', () => {
);
});

it('required auth test create/get/update/delete not authenitcated', done => {
it('required auth test find not authenitcated', done => {
config.database
.loadSchema()
.then(schema => {
Expand All @@ -1722,12 +1716,6 @@ describe('Class Level Permissions for requiredAuth', () => {
find: {
requiresAuthentication: true,
},
delete: {
requiresAuthentication: true,
},
update: {
requiresAuthentication: true,
},
create: {
'*': true,
},
Expand Down
80 changes: 64 additions & 16 deletions spec/schemas.spec.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1835,46 +1835,94 @@ describe('schemas', () => {
});
});

it('should throw with invalid userId (>10 chars)', done => {
request({
it('should aceept class-level permission with userid of any length', async done => {
await global.reconfigureServer({
customIdSize: 11,
});

const id = 'e1evenChars';

const { data } = await request({
method: 'POST',
url: 'http://localhost:8378/1/schemas/AClass',
headers: masterKeyHeaders,
json: true,
body: {
classLevelPermissions: {
find: {
'1234567890A': true,
[id]: true,
},
},
},
}).then(fail, response => {
expect(response.data.error).toEqual(
"'1234567890A' is not a valid key for class level permissions"
);
done();
});

expect(data.classLevelPermissions.find[id]).toBe(true);

done();
});

it('should throw with invalid userId (<10 chars)', done => {
request({
it('should allow set class-level permission for custom userid of any length and chars', async done => {
await global.reconfigureServer({
allowCustomObjectId: true,
});

const symbolsId = 'set:ID+symbol$=@llowed';
const shortId = '1';
const { data } = await request({
method: 'POST',
url: 'http://localhost:8378/1/schemas/AClass',
headers: masterKeyHeaders,
json: true,
body: {
classLevelPermissions: {
find: {
a12345678: true,
[symbolsId]: true,
[shortId]: true,
},
},
},
}).then(fail, response => {
expect(response.data.error).toEqual(
"'a12345678' is not a valid key for class level permissions"
);
done();
});

expect(data.classLevelPermissions.find[symbolsId]).toBe(true);
expect(data.classLevelPermissions.find[shortId]).toBe(true);

done();
});

it('should allow set ACL for custom userid', async done => {
await global.reconfigureServer({
allowCustomObjectId: true,
});

const symbolsId = 'symbols:id@allowed=';
const shortId = '1';
const normalId = 'tensymbols';

const { data } = await request({
method: 'POST',
url: 'http://localhost:8378/1/classes/AClass',
headers: masterKeyHeaders,
json: true,
body: {
ACL: {
[symbolsId]: { read: true, write: true },
[shortId]: { read: true, write: true },
[normalId]: { read: true, write: true },
},
},
});

const { data: created } = await request({
method: 'GET',
url: `http://localhost:8378/1/classes/AClass/${data.objectId}`,
headers: masterKeyHeaders,
json: true,
});

expect(created.ACL[normalId].write).toBe(true);
expect(created.ACL[symbolsId].write).toBe(true);
expect(created.ACL[shortId].write).toBe(true);
done();
});

it('should throw with invalid userId (invalid char)', done => {
Expand Down
Loading

0 comments on commit 2d257e2

Please sign in to comment.