Do not require addField permissions unless the root field does not exist

mstniy · mstniy · commit ed6a5d86d8ac · 2021-04-25T16:54:10.000+03:00
Also added a corresponding regression test
diff --git a/spec/Schema.spec.js b/spec/Schema.spec.js
@@ -1367,6 +1367,24 @@ describe('SchemaController', () => {
   });
 });
 
+describe('Class Level Permissions', () => {
+  it('does not require addField for nested modification (#7371)', async () => {
+    const testSchema = new Parse.Schema('test_7371');
+    testSchema.setCLP({
+      create: { ['*']: true },
+      update: { ['*']: true },
+      addField: {},
+    });
+    testSchema.addObject('a');
+    await testSchema.save();
+    const obj = new Parse.Object('test_7371');
+    obj.set('a', { b: 1 });
+    await obj.save();
+    obj.set('a.b', 2);
+    await obj.save();
+  });
+});
+
 describe('Class Level Permissions for requiredAuth', () => {
   beforeEach(() => {
     config = Config.get('test');
diff --git a/src/Controllers/DatabaseController.js b/src/Controllers/DatabaseController.js
@@ -894,7 +894,7 @@ class DatabaseController {
       if (object[field] && object[field].__op && object[field].__op === 'Delete') {
         return false;
       }
-      return schemaFields.indexOf(field) < 0;
+      return schemaFields.indexOf(getRootFieldName(field)) < 0;
     });
     if (newKeys.length > 0) {
       // adds a marker that new field is being adding during update

Original file line number	Diff line number	Diff line change
`@@ -894,7 +894,7 @@ class DatabaseController {`
`894`	`894`	`if (object[field] && object[field].__op && object[field].__op === 'Delete') {`
`895`	`895`	`return false;`
`896`	`896`	`}`
`897`		`- return schemaFields.indexOf(field) < 0;`
	`897`	`+ return schemaFields.indexOf(getRootFieldName(field)) < 0;`
`898`	`898`	`});`
`899`	`899`	`if (newKeys.length > 0) {`
`900`	`900`	`// adds a marker that new field is being adding during update`