it("regression test for #1991", done => {
let user = new Parse.User();
user.setUsername('user');
user.setPassword('user');
let role = new Parse.Role('admin', new Parse.ACL());
let obj = new Parse.Object('AnObject');
Parse.Object.saveAll([user, role]).then(() => {
role.relation('users').add(user);
return role.save(null, {useMasterKey: true});
}).then(() => {
return setPermissionsOnClass('AnObject', {
'get': {"*": true},
'find': {"*": true},
'create': {'*': true},
'update': {'role:admin': true},
'delete': {'role:admin': true}
})
}).then(() => {
return obj.save();
}).then(() => {
return Parse.User.logIn('user', 'user')
}).then(() => {
return obj.destroy();
}).then((result) => {
let query = new Parse.Query('AnObject');
return query.find();
}).then((results) => {
expect(results.length).toBe(0);
done();
}).catch((err) => {
fail('should not fail');
jfail(err);
done();
});
});
it('regression test for #2246', done => {
let profile = new Parse.Object('UserProfile');
let user = new Parse.User();
function initialize() {
return user.save({
username: '******',
password: '******'
}).then(() => {
return profile.save({user}).then(() => {
return user.save({
userProfile: profile
}, {useMasterKey: true});
});
});
}
initialize().then(() => {
return setPermissionsOnClass('UserProfile', {
'readUserFields': ['user'],
'writeUserFields': ['user']
}, true);
}).then(() => {
return Parse.User.logIn('user', 'password')
}).then(() => {
let query = new Parse.Query('_User');
query.include('userProfile');
return query.get(user.id);
}).then((user) => {
expect(user.get('userProfile')).not.toBeUndefined();
done();
}, (err) => {
jfail(err);
done();
});
});
it ('sets current user in new sessions', (done) => {
let currentUser;
Parse.User.signUp('foo', 'bar')
.then((user) => {
currentUser = user;
const sessionToken = user.getSessionToken();
const headers = {
'X-Parse-Application-Id': 'test',
'X-Parse-REST-API-Key': 'rest',
'X-Parse-Session-Token': sessionToken,
};
return rp.post({
headers,
url: 'http://localhost:8378/1/sessions',
json: true,
body: { 'user': { '__type': 'Pointer', 'className':'_User', 'objectId': 'fakeId' } },
})
})
.then((body) => {
if (body.user.objectId === currentUser.id) {
return done();
} else {
return done.fail();
}
})
.catch(done.fail);
})
function initialize() {
return user.save({
username: '******',
password: '******'
}).then(() => {
return profile.save({user}).then(() => {
return user.save({
userProfile: profile
}, {useMasterKey: true});
});
});
}
it('validate CLP 3', done => {
let user = new Parse.User();
user.setUsername('user');
user.setPassword('user');
let admin = new Parse.User();
admin.setUsername('admin');
admin.setPassword('admin');
let role = new Parse.Role('admin', new Parse.ACL());
setPermissionsOnClass('AClass', {
'find': {
'role:admin': true
}
}).then(() => {
return Parse.Object.saveAll([user, admin, role], {useMasterKey: true});
}).then(()=> {
role.relation('users').add(admin);
return role.save(null, {useMasterKey: true});
}).then(() => {
return Parse.User.logIn('user', 'user').then(() => {
let obj = new Parse.Object('AClass');
return obj.save(null, {useMasterKey: true});
})
}).then(() => {
let query = new Parse.Query('AClass');
return query.find().then((err) => {
fail('User should not be able to find!')
}, (err) => {
expect(err.message).toEqual('Permission denied for action find on class AClass.');
return Promise.resolve();
})
}).then(() => {
// delete all CLP
return setPermissionsOnClass('AClass', null, true);
}).then(() => {
let query = new Parse.Query('AClass');
return query.find().then((result) => {
expect(result.length).toBe(1);
}, (err) => {
fail('User should be able to find!')
done();
});
}).then(() => {
return Parse.User.logIn('admin', 'admin');
}).then( () => {
let query = new Parse.Query('AClass');
return query.find();
}).then((results) => {
expect(results.length).toBe(1);
done();
}).catch((err) => {
jfail(err);
done();
});
});
it('ensures sessionTokens are properly handled', (done) => {
let userId;
Parse.User.signUp('user', 'pass').then((user) => {
userId = user.id;
const sessionToken = user.getSessionToken();
return RESTController.request("GET", "/users/me", undefined, {sessionToken});
}).then((res) => {
// Result is in JSON format
expect(res.objectId).toEqual(userId);
done();
}).fail((err) => {
console.log(err);
jfail(err);
done();
});
});
it('ensures masterKey is properly handled', (done) => {
let userId;
Parse.User.signUp('user', 'pass').then((user) => {
userId = user.id;
return Parse.User.logOut().then(() => {
return RESTController.request("GET", "/classes/_User", undefined, {useMasterKey: true});
});
}).then((res) => {
expect(res.results.length).toBe(1);
expect(res.results[0].objectId).toEqual(userId);
done();
}, (err) => {
jfail(err);
done();
});
});
Async.each(config.special_users, function(user, done){
var User = new Parse.User();
User.set("username", hash(user.username.trim().toLowerCase()));
User.set("password", hat());
User.set("handle", user.handle);
User.set("email", hash(user.username.trim().toLowerCase()) + "@logicaladdress.com");
User.signUp().then(function (record) {
done(null);
}, function (error) {
done("Special users already created");
});
}, function(err){
}).then(() => {
return Parse.User.logIn('user', 'user')
}).then(() => {
}).then(done.fail, (res) => {
expect(res.statusCode).toBe(400);
expect(res.error.code).toBe(105);
return Parse.User.signUp('other', 'user');
}).then((otherUser) => {
return Parse.User.logOut().then(() => {
return Parse.User.logIn('hello', 'world');
})
}).then(() => {
return Parse.User.logIn('user', 'user').then(() => {
let obj = new Parse.Object('AClass');
return obj.save();
})
}).then(() => {
it('validate CLP 5', done => {
let user = new Parse.User();
user.setUsername('user');
user.setPassword('user');
let user2 = new Parse.User();
user2.setUsername('user2');
user2.setPassword('user2');
let admin = new Parse.User();
admin.setUsername('admin');
admin.setPassword('admin');
let role = new Parse.Role('admin', new Parse.ACL());
Promise.resolve().then(() => {
return Parse.Object.saveAll([user, user2, admin, role], {useMasterKey: true});
}).then(()=> {
role.relation('users').add(admin);
return role.save(null, {useMasterKey: true}).then(() => {
let perm = {
find: {}
};
// let the user find
perm['find'][user.id] = true;
return setPermissionsOnClass('AClass', perm);
})
}).then(() => {
return Parse.User.logIn('user', 'user').then(() => {
let obj = new Parse.Object('AClass');
return obj.save();
})
}).then(() => {
let query = new Parse.Query('AClass');
return query.find().then((res) => {
expect(res.length).toEqual(1);
}, (err) => {
fail('User should be able to find!')
return Promise.resolve();
})
}).then(() => {
return Parse.User.logIn('admin', 'admin');
}).then( () => {
let query = new Parse.Query('AClass');
return query.find();
}).then((results) => {
fail("should not be able to read!");
return Promise.resolve();
}, (err) => {
expect(err.message).toEqual('Permission denied for action create on class AClass.');
return Promise.resolve();
}).then(() => {
return Parse.User.logIn('user2', 'user2');
}).then( () => {
let query = new Parse.Query('AClass');
return query.find();
}).then((results) => {
fail("should not be able to read!");
return Promise.resolve();
}, (err) => {
expect(err.message).toEqual('Permission denied for action find on class AClass.');
return Promise.resolve();
}).then(() => {
done();
});
});
}).then(() => {
return Parse.User.logIn('user', 'user').then(() => {
let obj = new Parse.Object('AClass');
return obj.save(null, {useMasterKey: true});
})
}).then(() => {
Parse.User.signUp('user', 'pass').then((user) => {
userId = user.id;
return Parse.User.logOut().then(() => {
return RESTController.request("GET", "/classes/_User", undefined, {useMasterKey: true});
});
}).then((res) => {
return profile.save({user}).then(() => {
return user.save({
userProfile: profile
}, {useMasterKey: true});
});
}).then(() => {
return Parse.User.logIn('user', 'password')
}).then(() => {
}).then(() => {
return Parse.User.logIn('admin', 'admin');
}).then( () => {
it ('locks down session', (done) => {
let currentUser;
Parse.User.signUp('foo', 'bar').then((user) => {
currentUser = user;
const sessionToken = user.getSessionToken();
var headers = {
'Content-Type': 'application/octet-stream',
'X-Parse-Application-Id': 'test',
'X-Parse-REST-API-Key': 'rest',
'X-Parse-Session-Token': sessionToken,
};
let sessionId;
return rp.get({
headers: headers,
url: 'http://localhost:8378/1/sessions/me',
json: true,
}).then(body => {
sessionId = body.objectId;
return rp.put({
headers,
url: 'http://localhost:8378/1/sessions/' + sessionId,
json: {
installationId: 'yolo'
}
})
}).then(done.fail, (res) => {
expect(res.statusCode).toBe(400);
expect(res.error.code).toBe(105);
return rp.put({
headers,
url: 'http://localhost:8378/1/sessions/' + sessionId,
json: {
sessionToken: 'yolo'
}
})
}).then(done.fail, (res) => {
expect(res.statusCode).toBe(400);
expect(res.error.code).toBe(105);
return Parse.User.signUp('other', 'user');
}).then((otherUser) => {
const user = new Parse.User();
user.id = otherUser.id;
return rp.put({
headers,
url: 'http://localhost:8378/1/sessions/' + sessionId,
json: {
user: Parse._encode(user)
}
})
}).then(done.fail, (res) => {
expect(res.statusCode).toBe(400);
expect(res.error.code).toBe(105);
const user = new Parse.User();
user.id = currentUser.id;
return rp.put({
headers,
url: 'http://localhost:8378/1/sessions/' + sessionId,
json: {
user: Parse._encode(user)
}
})
}).then(done).catch(done.fail);
}).catch(done.fail);
});
}).then(() => {
return Parse.User.logIn('user2', 'user2');
}).then( () => {
}, true).then(() => {
return Parse.User.signUp('foo', 'bar');
}).then((user) => {
var parse = require('parse/node').Parse;
var config = require('../../config');
var _ = require('lodash');
var log = require('debug')('lc:controllers:parse:init');
log('Calling parse.initialize!');
parse.initialize(config.parse.appKey, config.parse.jsKey);
parse.User.enableUnsafeCurrentUser();
module.exports = parse;