Disables find on installation from clients

- fixes #1372
parse-community · Apr 5, 2016 · b910a99 · b910a99
1 parent 18906f1
commit b910a99
Show file tree

Hide file tree

Showing 2 changed files with 49 additions and 5 deletions.
diff --git a/spec/ParseInstallation.spec.js b/spec/ParseInstallation.spec.js
@@ -119,6 +119,50 @@ describe('Installations', () => {
     }).catch((error) => { console.log(error); });
   });
 
+  it('should properly fail queying installations', (done) => {
+    var installId = '12345678-abcd-abcd-abcd-123456789abc';
+    var device = 'android';
+    var input = {
+      'installationId': installId,
+      'deviceType': device
+    };
+    rest.create(config, auth.nobody(config), '_Installation', input)
+    .then(() => {
+      let query = new Parse.Query(Parse.Installation);
+      return query.find()
+    }).then((results) => {
+      fail('Should not succeed!');
+      done();
+    }).catch((error) => {
+      expect(error.code).toBe(119);
+      expect(error.message).toBe('Clients aren\'t allowed to perform the find operation on the installation collection.')
+      done();
+    });
+  });
+
+  it('should properly queying installations with masterKey', (done) => {
+    var installId = '12345678-abcd-abcd-abcd-123456789abc';
+    var device = 'android';
+    var input = {
+      'installationId': installId,
+      'deviceType': device
+    };
+    rest.create(config, auth.nobody(config), '_Installation', input)
+    .then(() => {
+      let query = new Parse.Query(Parse.Installation);
+      return query.find({useMasterKey: true});
+    }).then((results) => {
+      expect(results.length).toEqual(1);
+      var obj = results[0].toJSON();
+      expect(obj.installationId).toEqual(installId);
+      expect(obj.deviceType).toEqual(device);
+      done();
+    }).catch((error) => {
+      fail('Should not fail');
+      done();
+    });
+  });
+
   it('fails with missing ids', (done) => {
     var input = {
       'deviceType': 'android',

diff --git a/src/rest.js b/src/rest.js
@@ -119,11 +119,11 @@ function update(config, auth, className, objectId, restObject) {
 
 // Disallowing access to the _Role collection except by master key
 function enforceRoleSecurity(method, className, auth) {
-  if (method === 'delete' && className === '_Installation' && !auth.isMaster) {
-    throw new Parse.Error(Parse.Error.OPERATION_FORBIDDEN,
-                          'Clients aren\'t allowed to perform the ' +
-                          'delete operation on the installation collection.');
-
+  if (className === '_Installation' && !auth.isMaster) {
+    if (method === 'delete' || method === 'find') {
+      let error = `Clients aren't allowed to perform the ${method} operation on the installation collection.`
+      throw new Parse.Error(Parse.Error.OPERATION_FORBIDDEN, error);
+    }
   }
 }