Adds class level permission requiring authenticated user

flovilmart · flovilmart · commit 1e2af2c21520 · 2016-07-18T20:13:45.000-04:00
diff --git a/spec/Schema.spec.js b/spec/Schema.spec.js
@@ -799,3 +799,216 @@ describe('SchemaController', () => {
     done();
   });
 });
+
+describe('Class Level Permissions for requiredAuth', () => {
+  
+  function createUser() {
+     let user =  new Parse.User();
+     user.set("username", "hello");
+     user.set("password", "world");
+     return user.signUp(null);
+  }  
+  it('required auth test find', (done) => {
+    config.database.loadSchema().then((schema) => {
+        // Just to create a valid class
+        return schema.validateObject('Stuff', {foo: 'bar'});
+      }).then((schema) => {
+        return schema.setPermissions('Stuff', {
+          'find': {
+            'requiresAuthentication': true
+          }
+        });
+      }).then((schema) => {
+        var query = new Parse.Query('Stuff');
+        return query.find();
+      }).then((results) => {
+        fail('Class permissions should have rejected this query.');
+        done();
+      }, (e) => {
+        expect(e.message).toEqual('Permission denied, user needs to be authenticated.');
+        done();
+      });
+  });
+  
+  it('required auth test find authenticated', (done) => {
+    config.database.loadSchema().then((schema) => {
+        // Just to create a valid class
+        return schema.validateObject('Stuff', {foo: 'bar'});
+      }).then((schema) => {
+        return schema.setPermissions('Stuff', {
+          'find': {
+            'requiresAuthentication': true
+          }
+        });
+      }).then((schema) => {
+        return createUser();
+      }).then((user) => {
+        var query = new Parse.Query('Stuff');
+        return query.find();
+      }).then((results) => {
+        expect(results.length).toEqual(0);
+        done();
+      }, (e) => {
+        console.error(e);
+        fail("Should not have failed");
+        done();
+      });
+  });
+  
+  it('required auth test create authenticated', (done) => {
+    config.database.loadSchema().then((schema) => {
+        // Just to create a valid class
+        return schema.validateObject('Stuff', {foo: 'bar'});
+      }).then((schema) => {
+        return schema.setPermissions('Stuff', {
+          'create': {
+            'requiresAuthentication': true
+          }
+        });
+      }).then((schema) => {
+        return createUser();
+      }).then((user) => {
+        let stuff = new Parse.Object('Stuff');
+        stuff.set('foo', 'bar');
+        return stuff.save();
+      }).then((savedObject) => {
+        done();
+      }, (e) => {
+        console.error(e);
+        fail("Should not have failed");
+        done();
+      });
+  });
+  
+  it('required auth test create authenticated', (done) => {
+    config.database.loadSchema().then((schema) => {
+        // Just to create a valid class
+        return schema.validateObject('Stuff', {foo: 'bar'});
+      }).then((schema) => {
+        return schema.setPermissions('Stuff', {
+          'create': {
+            'requiresAuthentication': true
+          }
+        });
+      }).then((user) => {
+        let stuff = new Parse.Object('Stuff');
+        stuff.set('foo', 'bar');
+        return stuff.save();
+      }).then((results) => {
+        fail('Class permissions should have rejected this query.');
+        done();
+      }, (e) => {
+        expect(e.message).toEqual('Permission denied, user needs to be authenticated.');
+        done();
+      });
+  });
+  
+  it('required auth test create/get/update/delete authenticated', (done) => {
+    config.database.loadSchema().then((schema) => {
+      // Just to create a valid class
+      return schema.validateObject('Stuff', {foo: 'bar'});
+    }).then((schema) => {
+      return schema.setPermissions('Stuff', {
+        'create': {
+          'requiresAuthentication': true
+        },
+        'get': {
+          'requiresAuthentication': true
+        },
+        'delete': {
+          'requiresAuthentication': true
+        },
+        'update': {
+          'requiresAuthentication': true
+        }
+      });
+    }).then((schema) => {
+      return createUser();
+    }).then((user) => {
+      let stuff = new Parse.Object('Stuff');
+      stuff.set('foo', 'bar');
+      return stuff.save().then(() => {
+        let query = new Parse.Query('Stuff');
+        return query.get(stuff.id);
+      });
+    }).then((gotStuff) => {
+      gotStuff.save({'foo': 'baz'}).then(() => {
+          return gotStuff.destroy();
+      })
+    }).then(() => {
+      done();
+    }, (e) => {
+      console.error(e);
+      fail("Should not have failed");
+      done();
+    });
+  });
+  
+  it('required auth test create/get/update/delete not authenitcated', (done) => {
+    config.database.loadSchema().then((schema) => {
+      // Just to create a valid class
+      return schema.validateObject('Stuff', {foo: 'bar'});
+    }).then((schema) => {
+      return schema.setPermissions('Stuff', {
+        'get': {
+          'requiresAuthentication': true
+        },
+        'delete': {
+          'requiresAuthentication': true
+        },
+        'update': {
+          'requiresAuthentication': true
+        }
+      });
+    }).then((user) => {
+      let stuff = new Parse.Object('Stuff');
+      stuff.set('foo', 'bar');
+      return stuff.save().then(() => {
+        let query = new Parse.Query('Stuff');
+        return query.get(stuff.id);
+      });
+    }).then((res) => {
+      fail("Should not succeed!");
+      done();
+    }, (e) => {
+      expect(e.message).toEqual('Permission denied, user needs to be authenticated.');
+      done();
+    });
+  });
+  
+  it('required auth test create/get/update/delete not authenitcated', (done) => {
+    config.database.loadSchema().then((schema) => {
+      // Just to create a valid class
+      return schema.validateObject('Stuff', {foo: 'bar'});
+    }).then((schema) => {
+      return schema.setPermissions('Stuff', {
+        'find': {
+          'requiresAuthentication': true
+        },
+        'delete': {
+          'requiresAuthentication': true
+        },
+        'update': {
+          'requiresAuthentication': true
+        }
+      });
+    }).then((user) => {
+      let stuff = new Parse.Object('Stuff');
+      stuff.set('foo', 'bar');
+      return stuff.save().then(() => {
+        let query = new Parse.Query('Stuff');
+        return query.get(stuff.id);
+      })
+    }).then((result) => {
+      expect(result.get('foo')).toEqual('bar');
+      let query = new Parse.Query('Stuff');
+      return query.find();  
+   }).then((res) => {
+      fail("Should not succeed!");
+      done();
+    }, (e) => {
+      expect(e.message).toEqual('Permission denied, user needs to be authenticated.');
+      done();
+    });
+  });
+})
diff --git a/src/Controllers/SchemaController.js b/src/Controllers/SchemaController.js
@@ -676,6 +676,25 @@ class SchemaController {
     }
     let classPerms = this.perms[className];
     let perms = classPerms[operation];
+
+    // If only for authenticated users
+    // make sure we have an aclGroup
+    if (perms['requiresAuthentication']) {
+      // If aclGroup has * (public)
+      if (!aclGroup || aclGroup.length == 0) {
+        throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND,
+        'Permission denied, user needs to be authenticated.');
+      } else if (aclGroup.indexOf('*') > -1 && aclGroup.length == 1) {
+        throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND,
+        'Permission denied, user needs to be authenticated.');
+      }
+      // no other CLP than requiresAuthentication
+      // let's resolve that!
+      if (Object.keys(perms).length == 1) {
+        return Promise.resolve();
+      }
+    }
+
     // No matching CLP, let's check the Pointer permissions
     // And handle those later
     let permissionField = ['get', 'find'].indexOf(operation) > -1 ? 'readUserFields' : 'writeUserFields';
