Makes sure we don't strip authData or session token from users using masterKey (#2348)

flovilmart · TylerBrock · commit c9fc80984a2b · 2016-07-23T11:14:53.000-07:00
* Makes sure we don't strip auth data or session token from users queried with masterKey (#2342)) * nit: test title
diff --git a/spec/ParseUser.spec.js b/spec/ParseUser.spec.js
@@ -1029,6 +1029,36 @@ describe('Parse.User testing', () => {
     });
   });
 
+  it_exclude_dbs(['postgres'])("user authData should be available in cloudcode (#2342)", (done) => {
+
+    Parse.Cloud.define('checkLogin', (req, res) => {
+      expect(req.user).not.toBeUndefined();
+      expect(Parse.FacebookUtils.isLinked(req.user)).toBe(true);
+      res.success();
+    });
+
+    var provider = getMockFacebookProvider();
+    Parse.User._registerAuthenticationProvider(provider);
+    Parse.User._logInWith("facebook", {
+      success: function(model) {
+        ok(model instanceof Parse.User, "Model should be a Parse.User");
+        strictEqual(Parse.User.current(), model);
+        ok(model.extended(), "Should have used subclass.");
+        strictEqual(provider.authData.id, provider.synchronizedUserId);
+        strictEqual(provider.authData.access_token, provider.synchronizedAuthToken);
+        strictEqual(provider.authData.expiration_date, provider.synchronizedExpiration);
+        ok(model._isLinked("facebook"), "User should be linked to facebook");
+
+        Parse.Cloud.run('checkLogin').then(done, done);
+      },
+      error: function(model, error) {
+        console.error(model, error);
+        ok(false, "linking should have worked");
+        done();
+      }
+    });
+  });
+
   it_exclude_dbs(['postgres'])("log in with provider and update token", (done) => {
     var provider = getMockFacebookProvider();
     var secondProvider = getMockFacebookProviderWithIdToken('8675309', 'jenny_valid_token');
diff --git a/src/RestQuery.js b/src/RestQuery.js
@@ -504,7 +504,7 @@ function includePath(config, auth, response, path) {
         obj.__type = 'Object';
         obj.className = includeResponse.className;
 
-        if (obj.className == "_User") {
+        if (obj.className == "_User" && !auth.isMaster) {
           delete obj.sessionToken;
           delete obj.authData;
         }

Original file line number	Diff line number	Diff line change
`@@ -504,7 +504,7 @@ function includePath(config, auth, response, path) {`
`504`	`504`	`obj.__type = 'Object';`
`505`	`505`	`obj.className = includeResponse.className;`
`506`	`506`
`507`		`- if (obj.className == "_User") {`
	`507`	`+ if (obj.className == "_User" && !auth.isMaster) {`
`508`	`508`	`delete obj.sessionToken;`
`509`	`509`	`delete obj.authData;`
`510`	`510`	`}`