-
-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Class with CLP using _Role plus a CLP using _User pointer not working as expected #1953
Comments
It looks like we're a bit aggressive with the pointer permissions restrictions. I'll have a look |
Thanks @flovilmart - let me know if there's anything I can do to help out. |
Maybe open a PR with the failing test, that would help. The fix should not be that complicated, if you wanna try to knock it down, feel free! |
I think I have similar issue. I have two class level permissions: one for Pointer and one for User. All users can create objects of this class. They have access only to objects created by themselfes. I have pointer field "user" and a class level permission for this pointer. There is "admin" user who has access to all objects of this class. I have another class level permission for this User. That works fine with parse.com and it worked fine with self hosted Parse Server version 2.2.5. However it does not work with the latest version. Queries for the admin use do not return any objects because parse server adds condition to the query that "user" field should contain user who is executing the query. These objects have their creator in "user" field and admin user does not create this objects. But he should be able to see all objects. |
@akozlov could you include the exact configuration you use in Parse.com and Parse Server? Eg. screenshots of your security editor, and schema. |
Here are screenshots of self-hosted parse server app: This is my app at parse.com: This is my test code: var Parse = require('parse/node').Parse;
Parse.initialize('APPLICATION_ID', 'JAVASCRIPT_KEY');
Parse.serverURL = 'http://localhost:1337/parse';
function loadObjects(username, password) {
Parse.User.logIn(username, password).then(function(user) {
var query = new Parse.Query(Parse.Object.extend('Object'));
return query.find({ sessionToken: user.getSessionToken() });
}).then(function(objects) {
console.log(username + ': loaded ' + objects.length + ' objects.');
}).fail(function(err) {
console.error(username + ': error: '+ err.message);
});
}
loadObjects('user1', 'password');
loadObjects('user2', 'password');
loadObjects('user3', 'password');
loadObjects('admin', 'password'); Results using parse server version 2.2.11: user3: loaded 0 objects. Results using parse.com: user2: loaded 2 objects. The same code using parse server version 2.2.5: user2: error: Permission denied for this action. |
Here is another example. parse.com On parse.com:
Hosted Parse Server On Parse Server:
I can provide test code if needed - have to jump to a series of meetings now. |
I tried to fix this problem myself: But it breaks some tests in PonterPermissions.spec.js For example there is a test testing that only owner should be able to update object (should work with write). In this test we have the following class level permissions: {
"find": {
"*": true
},
"get": {
"*": true
},
"create": {
"*": true
},
"update": {
"*": true
},
"delete": {
"*": true
},
"addField": {
"*": true
},
"writeUserFields": [
"owner"
],
"readUserFields": [
"reader",
"owner"
]
} I thought that if we have permission for '*' it should override Pointer permissions. So anyone can update this object. Am I wrong? |
No, CLP, pointer permissions, and ACL can be thought of as separate gates, and a user must pass all of the gates to be able to access the object. |
You mean there are 3 gates (CLP, pointer permissions and ACL)? Pointer permissions are treated separately from other CLP? |
Yep. |
Ok, thank you, but I think I still don't quite understand it. In my screenshots from parse.com above admin user does not have pointer permissions (only User permissions), but he has access to all object. Also user1, user2 and user3 have only pointer permissions and they also have access to objects. |
The PR seem legit to me, let me check the fork and see what tests are failing. Given the changes in your code, we you run through the original permissions validations (instead of adding another piece of logic) |
A class that has CLPs of a Role and of a User pointer only returns data to the User pointer client.
To recreate
Create a class Rides which has an attribute rideOwnerId which is a pointer to _User.
Using the browser create a Role called generalUser.
Set the permissions for Rides using the data browser as follows:
On api.parse.com this works as one would expect e.g. a client belonging to generalUser can retrieve Rides but cannot update any Ride - only the client who is the rideOwnerId can update their Ride.
on parse server this doesn't work. The generalUser (_Role) CLP works alone, however, when I add the rideOwnerId (_User) CLP only the rideOwnerId can retrieve Rides. Queries by other clients who are part of generalUser return an empty array.
Logs/Trace
You can turn on additional logging by configuring VERBOSE=1 in your environment.
I can provide targeted logs but there are no errors and the only behaviour is that with only the Role CLP the results array is populated and with both the Role and the User CLP the results array is empty.
The text was updated successfully, but these errors were encountered: