LiveQueryClient subscribe with token - no updates to ACL secured objects

[kirilledelman]

Issue Description

Live query subscription to an ACL secured object doesn't work, even when sessionToken is passed.

Steps to reproduce

// user is logged in, there's a Patient object in the DB, whose ACL is set to Read+Write by same user
var lq = Parse.CoreManager.getLiveQueryController();
var cu = Parse.User.current();
var pq = new Parse.Query( 'Patient' );
pq.equalTo( 'userId', cu.id );
var plq = lq.subscribe( pq, cu.getSessionToken() );
plq.on('update', (object) => {
	console.log('object updated', object );
});

Update a field in Patient object on the server.

Expected Results

"object updated" handler should be called

Actual Outcome

nothing happens.

Environment Setup

• Server

  • parse-server version (Be specific! Don't say 'latest'.) : ^3.1.3
  • Operating System: CentOS
  • Hardware: AWS instance
  • Localhost or remote server? AWS remote server

• JS SDK

  • JS SDK version: 2.2.1
  • Application: Chrome

[dplewis]

Improvements were made to LiveQuery Pull Request #758

Can you update to the latest version?

If it still doesn't work can you write a failing test? There are examples in the Pull Request if you need it.

Note: await query.subscribe() gets the current user session internally

[kirilledelman]

@dplewis, I've updated my JS SDK to the latest PR and server side parse-server node packages, but I'm still getting the same behavior. I can see that Subscription object I get from subscribing to a query has the correct sessionToken property set to currently authenticated user. But when I subscribe to a query that returns an object whose ACL is set to the current user, I get no update event. ACL set to public read+write posts update events correctly.

So this must be the server side problem, right?

[dplewis]

There is a issue opened on the server side parse-community/parse-server#5393

Would you like to provide a fix?

[kirilledelman]

I don't think #5393 is the same to what I'm experiencing. I'm not using roles and my object is secured with an ACL containing a single user id, and I'm not getting updates. Unfortunately, I'm not familiar enough with Parse project to be able to fix this. I was hoping for a known workaround.

[dplewis]

Can you write a failing test?

[dplewis]

@kirilledelman I wrote a test case here #791. The test passed. Can you compare or change it to match your use case?

[kirilledelman]

@dplewis
Thank you for following up. Your test case looks correct, but it still doesn't work in my set up.
I don't get update event for my ACL-user protected object when I test in browser vs AWS backend environment.
I did update parse-server on my AWS instance to the latest. Here's my code on the client side:

	// queries for getting patients
	var cu = Parse.User.current();
	var pq = new Parse.Query( 'Patient' );
	pq.equalTo( 'userId', cu.id );
	pq.subscribe( cu.getSessionToken() ).then( (plq)=>{
		plq.on('update', (object) => {
			console.log('object updated', object );
		});
		console.log( "plq", plq );
	} );

	// refresh patients
	pq.find().then( ( list ) => {
		console.log( "live query find: ", list );
	});

I have two Patient objects - one with public read/write ACL, another one ACL'd to this user. The code above prints out both of them (in the find() call), but when I modify a field on Patient object via parse-dashboard, I only get a "object updated" on the public one. Inspecting my "plq" object shows that sessionToken is set correctly.

I appreciate your help, but I'm not sure how I can troubleshoot this further.

[dplewis]

Does it run locally? I just tried it with with 2 objects, public access on one, user access on the other and worked. Might be an AWS issue

Did you edit both of them in the dashboard? Does it work if you edit them client side?

Can you post logs? VERBOSE=1

[kirilledelman]

Thanks for following up - I've decided to try a different framework - the fault is probably in my AWS set up somewhere, but I feel like I lack the tech knowledge to properly troubleshoot it with you.

[parse-github-assistant]

The label type:feature cannot be used in combination with type:improvement.