Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Class with CLP using _Role plus a CLP using _User pointer not working as expected #1953

Closed
brianyyz opened this issue May 30, 2016 · 13 comments · Fixed by #1989
Closed

Class with CLP using _Role plus a CLP using _User pointer not working as expected #1953

brianyyz opened this issue May 30, 2016 · 13 comments · Fixed by #1989

Comments

@brianyyz
Copy link

A class that has CLPs of a Role and of a User pointer only returns data to the User pointer client.

To recreate

Create a class Rides which has an attribute rideOwnerId which is a pointer to _User.

Using the browser create a Role called generalUser.

Set the permissions for Rides using the data browser as follows:

  • Public: no access
  • generalUser (_Role): Get, Find, Create
  • rideOwnerId (_User): All

On api.parse.com this works as one would expect e.g. a client belonging to generalUser can retrieve Rides but cannot update any Ride - only the client who is the rideOwnerId can update their Ride.

on parse server this doesn't work. The generalUser (_Role) CLP works alone, however, when I add the rideOwnerId (_User) CLP only the rideOwnerId can retrieve Rides. Queries by other clients who are part of generalUser return an empty array.

  • Server
    • parse-server version: 2.2.10
    • Operating System: OSX 10.11.5
    • Hardware: MBP
    • Localhost
  • Database
    • MongoDB version: 3.2.4
    • Storage engine: wiredtiger
    • Hardware: MBP
    • Localhost

Logs/Trace

You can turn on additional logging by configuring VERBOSE=1 in your environment.
I can provide targeted logs but there are no errors and the only behaviour is that with only the Role CLP the results array is populated and with both the Role and the User CLP the results array is empty.

@flovilmart
Copy link
Contributor

It looks like we're a bit aggressive with the pointer permissions restrictions. I'll have a look

@brianyyz
Copy link
Author

Thanks @flovilmart - let me know if there's anything I can do to help out.

@flovilmart
Copy link
Contributor

Maybe open a PR with the failing test, that would help. The fix should not be that complicated, if you wanna try to knock it down, feel free!

@akozlov
Copy link

akozlov commented May 30, 2016

I think I have similar issue.

I have two class level permissions: one for Pointer and one for User.

All users can create objects of this class. They have access only to objects created by themselfes. I have pointer field "user" and a class level permission for this pointer.

There is "admin" user who has access to all objects of this class. I have another class level permission for this User.

That works fine with parse.com and it worked fine with self hosted Parse Server version 2.2.5.

However it does not work with the latest version. Queries for the admin use do not return any objects because parse server adds condition to the query that "user" field should contain user who is executing the query. These objects have their creator in "user" field and admin user does not create this objects. But he should be able to see all objects.

@drew-gross
Copy link
Contributor

@akozlov could you include the exact configuration you use in Parse.com and Parse Server? Eg. screenshots of your security editor, and schema.

@akozlov
Copy link

akozlov commented Jun 1, 2016

@drew-gross

Here are screenshots of self-hosted parse server app:

screen shot 2016-06-01 at 09 57 01

screen shot 2016-06-01 at 09 57 15

screen shot 2016-06-01 at 09 57 19

This is my app at parse.com:

screen shot 2016-06-01 at 10 08 59

screen shot 2016-06-01 at 10 08 57

screen shot 2016-06-01 at 10 09 05

This is my test code:

var Parse = require('parse/node').Parse;

Parse.initialize('APPLICATION_ID', 'JAVASCRIPT_KEY');
Parse.serverURL = 'http://localhost:1337/parse';

function loadObjects(username, password) {
    Parse.User.logIn(username, password).then(function(user) {
        var query = new Parse.Query(Parse.Object.extend('Object'));
        return query.find({ sessionToken: user.getSessionToken() });
    }).then(function(objects) {
        console.log(username + ': loaded ' + objects.length + ' objects.');
    }).fail(function(err) {
        console.error(username + ': error: '+ err.message);
    });
}

loadObjects('user1', 'password');
loadObjects('user2', 'password');
loadObjects('user3', 'password');
loadObjects('admin', 'password');

Results using parse server version 2.2.11:

user3: loaded 0 objects.
user2: loaded 2 objects.
user1: loaded 1 objects.
admin: loaded 0 objects.

Results using parse.com:

user2: loaded 2 objects.
user3: loaded 0 objects.
user1: loaded 1 objects.
admin: loaded 3 objects.

The same code using parse server version 2.2.5:

user2: error: Permission denied for this action.
user3: error: Permission denied for this action.
user1: error: Permission denied for this action.
admin: loaded 3 objects.

@brianyyz
Copy link
Author

brianyyz commented Jun 1, 2016

Here is another example.

parse.com

screen shot 2016-06-01 at 09 16 25

screen shot 2016-06-01 at 09 17 10

On parse.com:

  • _Users who are not in the _Role generalUser (Public) have no access to any Team
  • All _Users in the _Role generalUser can get, retrieve all three Teams and create a new Team. The _User in the teamOwnerId pointer field is able to update that Team.

Hosted Parse Server

screen shot 2016-06-01 at 09 19 07

screen shot 2016-06-01 at 09 18 57

On Parse Server:

  • _Users who are not in the _Role generalUser have no access to any Team - working
  • _User in the teamOwnerId pointer field YdcPBSggSG is able to get, find team GLzIH99iFj
  • Behavior is that a _User can only see a Team for which they are the teamOwnerId
  • _User not in the teamOwnerId pointer field but in the Role generalUser is unable to retrieve Team GLzIH99iFj (or any other Team) - not working
  • If I remove the permission for the teamOwnerId pointer then _User in Role generalUser can retrieve Team GLzIH99iFj (and all other Teams)

I can provide test code if needed - have to jump to a series of meetings now.

@akozlov
Copy link

akozlov commented Jun 2, 2016

I tried to fix this problem myself:

master...akozlov:master

But it breaks some tests in PonterPermissions.spec.js

For example there is a test testing that only owner should be able to update object (should work with write).

In this test we have the following class level permissions:

{
  "find": {
    "*": true
  },
  "get": {
    "*": true
  },
  "create": {
    "*": true
  },
  "update": {
    "*": true
  },
  "delete": {
    "*": true
  },
  "addField": {
    "*": true
  },
  "writeUserFields": [
    "owner"
  ],
  "readUserFields": [
    "reader",
    "owner"
  ]
}

I thought that if we have permission for '*' it should override Pointer permissions. So anyone can update this object.

Am I wrong?

@drew-gross
Copy link
Contributor

No, CLP, pointer permissions, and ACL can be thought of as separate gates, and a user must pass all of the gates to be able to access the object.

@akozlovbm
Copy link

You mean there are 3 gates (CLP, pointer permissions and ACL)? Pointer permissions are treated separately from other CLP?

@drew-gross
Copy link
Contributor

Yep.

@akozlovbm
Copy link

akozlovbm commented Jun 3, 2016

Ok, thank you, but I think I still don't quite understand it. In my screenshots from parse.com above admin user does not have pointer permissions (only User permissions), but he has access to all object. Also user1, user2 and user3 have only pointer permissions and they also have access to objects.

@flovilmart
Copy link
Contributor

The PR seem legit to me, let me check the fork and see what tests are failing.

Given the changes in your code, we you run through the original permissions validations (instead of adding another piece of logic)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

5 participants