Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Aggregate query does not honor sessionToken option if passed #1393

Open
4 tasks done
obermillerk opened this issue Aug 12, 2021 · 7 comments
Open
4 tasks done

Aggregate query does not honor sessionToken option if passed #1393

obermillerk opened this issue Aug 12, 2021 · 7 comments
Labels
state:wont-fix Won’t be fixed with a clearly stated reason type:feature New feature or improvement of existing feature

Comments

@obermillerk
Copy link

obermillerk commented Aug 12, 2021
edited
Loading

New Issue Checklist

Issue Description

Aggregate query does not honor the sessionToken option.

When passing a sessionToken it should only return objects that are readable by the user with that session token. Instead, the ACLs are ignored and all objects are returned.

Specifically, I have a query that is retrieving all objects of a certain class. A non-aggregate query could use the session token to only return objects the user has read permissions for. In the aggregate query, all objects are returned regardless of permissions.

I know that aggregate queries are different from normal queries and it may be impossible for you to support this option, but if that is the case the sessionToken should not be listed as an option for the aggregate function on the docs for Parse.Query (https://parseplatform.org/Parse-SDK-JS/api/master/Parse.Query.html#aggregate).

Steps to reproduce

  • Create a user and create some Parse Objects that the user has exclusive read and write access to in the ACL
  • Create a Cloud function that runs an aggregate query for these Parse Objects and returns all of them
  • Log in as a second user and run the aggregate query

Actual Outcome

The objects owned by the first user are returned as part of the results for the second user's query.

Expected Outcome

The objects owned by the first user should be excluded from the second user's query. Only objects the second user has read access to should be returned.

Environment

Server

  • Parse Server version: 4.5.0
  • Operating system: Windows 10, I think also linux on our deployed server
  • Local or remote host (AWS, Azure, Google Cloud, Heroku, Digital Ocean, etc): local (and deployed)

Database

  • System (MongoDB or Postgres): MongoDB
  • Database version: 4.2.6
  • Local or remote host (MongoDB Atlas, mLab, AWS, Azure, Google Cloud, etc): local (and deployed)

Client

  • Parse JS SDK version: 3.3.0

Logs
@mtrezza mtrezza added the type:feature New feature or improvement of existing feature label Oct 5, 2021
@mtrezza
Copy link
Member

mtrezza commented Oct 5, 2021
edited
Loading

While this is theoretically possible, it requires an enormous effort to parse the MongoDB aggregation syntax and interpret it correctly. It essentially requires to replicate the whole MongoDB aggregation parser in Parse Server. Given the versatility of aggregation and implied complexity, I would consider this highly unfeasible. Maybe consider aggregation queries as a form of "direct access" to the database that circumvents any Parse Server checks - and for that matter even most MongoDB Node.js driver checks.

I'm closing this for now, we can always re-open if someone really wants to pick this up and start working on it.

@mtrezza mtrezza closed this as completed Oct 5, 2021
@mtrezza mtrezza added the state:wont-fix Won’t be fixed with a clearly stated reason label Oct 5, 2021
@REPTILEHAUS
Copy link

Just FYI maybe worth updating the docs as it says here its possible to use https://parseplatform.org/Parse-SDK-JS/api/master/Parse.Query.html#aggregate

@mtrezza
Copy link
Member

mtrezza commented Aug 3, 2023
edited
Loading

Would you want to open an issue or even just a quick PR?

@REPTILEHAUS
Copy link

REPTILEHAUS commented Aug 4, 2023
edited
Loading

@mtrezza I can indeed, where do i find these docs ? I had a look around and found this repo but dont see anything related to the page i posted above https://github.com/parse-community/docs

Also if i remove the only valid option for aggregate(pipeline, options) should i just remove the options entirely from aggregate ?

@mtrezza
Copy link
Member

mtrezza commented Aug 4, 2023
edited
Loading

This is created in the Parse JS SDK API docs, as you can see in the URL, Parse-SDK-JS:

https://parseplatform.org/Parse-SDK-JS/api/master/Parse.Query.html#aggregate

I wonder whether the option should actually be removed. Maybe the docs mean that the session token makes a ParseUser and/or the session token available in a Cloud Code trigger? But not sure if there are any triggers for aggregate queries? If so, we may only need to add a note that ACL / CLP are not applicable to aggregate queries. I think a look into the JS SDK and server code could give more insight here.

@mtrezza mtrezza reopened this Aug 4, 2023
@parse-github-assistant
Copy link

Thanks for opening this issue!

  • 🚀 You can help us to fix this issue faster by opening a pull request with a failing test. See our Contribution Guide for how to make a pull request, or read our New Contributor's Guide if this is your first time contributing.

@mtrezza
Copy link
Member

mtrezza commented Aug 4, 2023

Reopened, because the docs need to be adapted.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
state:wont-fix Won’t be fixed with a clearly stated reason type:feature New feature or improvement of existing feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@REPTILEHAUS @mtrezza @obermillerk