Upload spec for parse-community#3588

awgeorge · awgeorge · commit 0b23610ecb6c · 2018-02-06T21:30:45.000Z
diff --git a/spec/ParseUser.spec.js b/spec/ParseUser.spec.js
@@ -3537,4 +3537,68 @@ describe('Parse.User testing', () => {
       expect(results.length).toBe(1);
     }).then(done, done.fail);
   });
+
+  describe('with privilaged user', () => {
+    let adminUser;
+    let normalUser;
+
+    beforeEach((done) => {
+      let adminRole;
+      return new Parse.Role("Administrator", new Parse.ACL()).save(null, { useMasterKey: true })
+        .then(role => adminRole = role)
+        .then(() => Parse.User.signUp('normal_user', 'secure'))
+        .then(loggedInUser => {
+          normalUser = loggedInUser
+          const managementRole = new Parse.Role("managementOf_user" + normalUser.id, new Parse.ACL(normalUser));
+          managementRole.getRoles().add(adminRole);
+
+          return managementRole.save(null, { useMasterKey: true }).then(() => {
+            const userACL = new Parse.ACL();
+            userACL.setPublicReadAccess(true);
+            userACL.setPublicWriteAccess(true); // Shouldn't be enforced
+            userACL.setReadAccess(managementRole, true);
+            userACL.setWriteAccess(managementRole, true);
+
+            return normalUser.setACL(userACL).save(null, { useMasterKey: true });
+          });
+        })
+        .then(() => Parse.User.signUp('administrator', 'secure'))
+        .then(loggedInUser => adminUser = loggedInUser)
+        .then(() => Parse.User.logIn(adminUser.get('username'), 'secure'))
+        .then(() => adminRole.getUsers().add(adminUser).save(null, {useMasterKey: true}))
+        .then(() => done());
+    });
+
+    it('admin should be able to update user', (done) => {
+      normalUser.set("username", "test");
+      normalUser.save().then(done, done.fail);
+    });
+
+    it('public should not be able to update user', (done) => {
+      Parse.User.logOut()
+        .then(() => {
+          normalUser.set("username", "test");
+          return normalUser.save().then(done.fail, done)
+        })
+    });
+
+    it('admin should be able to update user via REST with admin credentials', (done) => {
+      request.post({
+        url: 'http://localhost:8378/1/classes/_User',
+        json: true,
+        headers: {
+          'X-Parse-Application-Id': 'test',
+          'X-Parse-Javascript-Key': 'test',
+          'X-Parse-Session-Token': adminUser.getSessionToken()
+        },
+        body: {
+          username: "test"
+        }
+      }, function(err, res, body) {
+        expect(body.status).toBe(200);
+        done();
+      });
+    });
+
+  });
 });
diff --git a/spec/UserPII.spec.js b/spec/UserPII.spec.js
@@ -8,20 +8,37 @@ const request = require('request-promise');
 const EMAIL = 'foo@bar.com';
 const ZIP = '10001';
 const SSN = '999-99-9999';
+const NICKNAME = 'PublicNickname';
 
 describe('Personally Identifiable Information', () => {
   let user;
+  let adminUser;
+  let adminRole;
 
   beforeEach(done => {
-    return Parse.User.signUp('tester', 'abc')
+    return new Parse.Role("Administrator", new Parse.ACL()).save(null, { useMasterKey: true })
+      .then(role => adminRole = role)
+      .then(() => Parse.User.signUp('tester', 'abc'))
       .then(loggedInUser => user = loggedInUser)
       .then(() => Parse.User.logIn(user.get('username'), 'abc'))
-      .then(() => user
-        .set('email', EMAIL)
-        .set('zip', ZIP)
-        .set('ssn', SSN)
-        .save())
-      .then(() => done());
+      .then(() => {
+        const managementRole = new Parse.Role("managementOf_user" + user.id, new Parse.ACL(user));
+        managementRole.getRoles().add(adminRole);
+
+        return managementRole.save(null, { useMasterKey: true });
+      }).then((managementRole) => {
+        const userACL = new Parse.ACL();
+        userACL.setPublicReadAccess(true);
+        userACL.setReadAccess(managementRole, true);
+        userACL.setWriteAccess(managementRole, true);
+
+        return user.set('email', EMAIL)
+          .set('zip', ZIP)
+          .set('ssn', SSN)
+          .set('nickname', NICKNAME)
+          .setACL(userACL)
+          .save()})
+      .then(() => done(), (e) => console.log(e));
   });
 
   it('should be able to get own PII via API with object', (done) => {
@@ -50,6 +67,22 @@ describe('Personally Identifiable Information', () => {
       });
   });
 
+  it('should be able to get non PII via API with object', (done) => {
+    Parse.User.logOut()
+      .then(() => {
+        const userObj = new (Parse.Object.extend(Parse.User));
+        userObj.id = user.id;
+        userObj.fetch().then(
+          fetchedUser => {
+            expect(fetchedUser.get('nickname')).toBe(NICKNAME);
+          })
+          .fail(e => {
+            done.fail(JSON.stringify(e));
+          })
+          .done(() => done());
+      });
+  });
+
   it('should be able to get PII via API with object using master key', (done) => {
     Parse.User.logOut()
       .then(() => {
@@ -63,7 +96,6 @@ describe('Personally Identifiable Information', () => {
       });
   });
 
-
   it('should be able to get own PII via API with Find', (done) => {
     new Parse.Query(Parse.User)
       .first()
@@ -236,7 +268,7 @@ describe('Personally Identifiable Information', () => {
       ).done(() => done());
   });
 
-  it('should get PII via REST by ID  with master key', (done) => {
+  it('should get PII via REST by ID with master key', (done) => {
     request.get({
       url: `http://localhost:8378/1/classes/_User/${user.id}`,
       json: true,
@@ -270,6 +302,7 @@ describe('Personally Identifiable Information', () => {
           expect(fetchedUser.get('email')).toBe(EMAIL);
           expect(fetchedUser.get('zip')).toBe(ZIP);
           expect(fetchedUser.get('ssn')).toBe(SSN);
+          expect(fetchedUser.get('nickname')).toBe(NICKNAME);
           done();
         }, e => done.fail(e));
     });
@@ -284,6 +317,7 @@ describe('Personally Identifiable Information', () => {
               expect(fetchedUser.get('email')).toBe(undefined);
               expect(fetchedUser.get('zip')).toBe(undefined);
               expect(fetchedUser.get('ssn')).toBe(undefined);
+              expect(fetchedUser.get('nickname')).toBe(NICKNAME);
             }, e => console.error('error', e))
             .done(() => done());
         });
@@ -299,6 +333,7 @@ describe('Personally Identifiable Information', () => {
               expect(fetchedUser.get('email')).toBe(EMAIL);
               expect(fetchedUser.get('zip')).toBe(ZIP);
               expect(fetchedUser.get('ssn')).toBe(SSN);
+              expect(fetchedUser.get('nickname')).toBe(NICKNAME);
             }, e => console.error('error', e))
             .done(() => done());
         });
@@ -312,6 +347,7 @@ describe('Personally Identifiable Information', () => {
           expect(fetchedUser.get('email')).toBe(EMAIL);
           expect(fetchedUser.get('zip')).toBe(ZIP);
           expect(fetchedUser.get('ssn')).toBe(SSN);
+          expect(fetchedUser.get('nickname')).toBe(NICKNAME);
           done();
         });
     });
@@ -324,6 +360,7 @@ describe('Personally Identifiable Information', () => {
             expect(fetchedUser.get('email')).toBe(undefined);
             expect(fetchedUser.get('zip')).toBe(undefined);
             expect(fetchedUser.get('ssn')).toBe(undefined);
+            expect(fetchedUser.get('nickname')).toBe(NICKNAME);
             done();
           })
         );
@@ -337,6 +374,7 @@ describe('Personally Identifiable Information', () => {
             expect(fetchedUser.get('email')).toBe(EMAIL);
             expect(fetchedUser.get('zip')).toBe(ZIP);
             expect(fetchedUser.get('ssn')).toBe(SSN);
+            expect(fetchedUser.get('nickname')).toBe(NICKNAME);
             done();
           })
         );
@@ -350,6 +388,7 @@ describe('Personally Identifiable Information', () => {
           expect(fetchedUser.get('email')).toBe(EMAIL);
           expect(fetchedUser.get('zip')).toBe(ZIP);
           expect(fetchedUser.get('ssn')).toBe(SSN);
+          expect(fetchedUser.get('nickname')).toBe(NICKNAME);
           done();
         });
     });
@@ -362,6 +401,7 @@ describe('Personally Identifiable Information', () => {
             expect(fetchedUser.get('email')).toBe(undefined);
             expect(fetchedUser.get('zip')).toBe(undefined);
             expect(fetchedUser.get('ssn')).toBe(undefined);
+            expect(fetchedUser.get('nickname')).toBe(NICKNAME);
             done();
           })
         );
@@ -375,6 +415,7 @@ describe('Personally Identifiable Information', () => {
             expect(fetchedUser.get('email')).toBe(EMAIL);
             expect(fetchedUser.get('zip')).toBe(ZIP);
             expect(fetchedUser.get('ssn')).toBe(SSN);
+            expect(fetchedUser.get('nickname')).toBe(NICKNAME);
             done();
           })
         );
@@ -395,6 +436,7 @@ describe('Personally Identifiable Information', () => {
             expect(fetchedUser.zip).toBe(undefined);
             expect(fetchedUser.ssn).toBe(undefined);
             expect(fetchedUser.email).toBe(undefined);
+            expect(fetchedUser.nickname).toBe(NICKNAME);
           },
           e => console.error('error', e.message)
         ).done(() => done());
@@ -416,6 +458,7 @@ describe('Personally Identifiable Information', () => {
             expect(fetchedUser.zip).toBe(ZIP);
             expect(fetchedUser.email).toBe(EMAIL);
             expect(fetchedUser.ssn).toBe(SSN);
+            expect(fetchedUser.nickname).toBe(NICKNAME);
           },
           e => console.error('error', e.message)
         ).done(() => done());
@@ -436,6 +479,7 @@ describe('Personally Identifiable Information', () => {
             expect(fetchedUser.zip).toBe(ZIP);
             expect(fetchedUser.email).toBe(EMAIL);
             expect(fetchedUser.ssn).toBe(SSN);
+            expect(fetchedUser.nickname).toBe(NICKNAME);
           },
           e => console.error('error', e.message)
         ).done(() => done());
@@ -455,6 +499,7 @@ describe('Personally Identifiable Information', () => {
             const fetchedUser = result;
             expect(fetchedUser.zip).toBe(undefined);
             expect(fetchedUser.email).toBe(undefined);
+            expect(fetchedUser.nickname).toBe(NICKNAME);
           },
           e => console.error('error', e.message)
         ).done(() => done());
@@ -475,6 +520,7 @@ describe('Personally Identifiable Information', () => {
             const fetchedUser = result;
             expect(fetchedUser.zip).toBe(ZIP);
             expect(fetchedUser.email).toBe(EMAIL);
+            expect(fetchedUser.nickname).toBe(NICKNAME);
           },
           e => console.error('error', e.message)
         ).done(() => done());
@@ -495,9 +541,75 @@ describe('Personally Identifiable Information', () => {
             const fetchedUser = result;
             expect(fetchedUser.zip).toBe(ZIP);
             expect(fetchedUser.email).toBe(EMAIL);
+            expect(fetchedUser.nickname).toBe(NICKNAME);
           },
           e => console.error('error', e.message)
         ).done(() => done());
     });
   });
+
+  describe('with privilaged user', () => {
+    beforeEach((done) => {
+      return Parse.User.logOut()
+        .then(() => Parse.User.signUp('administrator', 'secure'))
+        .then(loggedInUser => adminUser = loggedInUser)
+        .then(() => Parse.User.logIn(adminUser.get('username'), 'secure'))
+        .then(() => adminRole.getUsers().add(adminUser).save(null, {useMasterKey: true}))
+        .then(() => done());
+    });
+
+    it('admin should be able to get user PII via API with object', (done) => {
+      const userObj = new (Parse.Object.extend(Parse.User));
+      userObj.id = user.id;
+      userObj.fetch().then(
+        fetchedUser => {
+          expect(fetchedUser.get('email')).toBe(EMAIL);
+        }, e => console.error('error', e))
+        .done(() => done());
+    });
+
+    it('admin should be able to get user PII via API with Find', (done) => {
+      new Parse.Query(Parse.User)
+        .first()
+        .then(fetchedUser => {
+          expect(fetchedUser.get('email')).toBe(EMAIL);
+          expect(fetchedUser.get('zip')).toBe(ZIP);
+          expect(fetchedUser.get('ssn')).toBe(SSN);
+          done();
+        });
+    });
+
+    it('admin should be able to get user PII via API with Get', (done) => {
+      new Parse.Query(Parse.User)
+        .get(user.id)
+        .then(fetchedUser => {
+          expect(fetchedUser.get('email')).toBe(EMAIL);
+          expect(fetchedUser.get('zip')).toBe(ZIP);
+          expect(fetchedUser.get('ssn')).toBe(SSN);
+          expect(fetchedUser.get('nickname')).toBe(NICKNAME);
+          done();
+        });
+    });
+
+    it('admin should get PII via REST with admin credentials', (done) => {
+      request.get({
+        url: 'http://localhost:8378/1/classes/_User',
+        json: true,
+        headers: {
+          'X-Parse-Application-Id': 'test',
+          'X-Parse-Javascript-Key': 'test',
+          'X-Parse-Session-Token': adminUser.getSessionToken()
+        }
+      })
+        .then(
+          result => {
+            const fetchedUser = result.results[0];
+            expect(fetchedUser.zip).toBe(ZIP);
+            expect(fetchedUser.email).toBe(EMAIL);
+          },
+          e => console.error('error', e.message)
+        ).done(() => done());
+    });
+
+  });
 });
diff --git a/src/Routers/UsersRouter.js b/src/Routers/UsersRouter.js
@@ -268,7 +268,7 @@ export class UsersRouter extends ClassesRouter {
         throw new Parse.Error(Parse.Error.EMAIL_NOT_FOUND, `No user found with email ${email}`);
       }
       const user = results[0];
-      
+
       // remove password field, messes with saving on postgres
       delete user.password;
 

Original file line number	Diff line number	Diff line change
`@@ -268,7 +268,7 @@ export class UsersRouter extends ClassesRouter {`
`268`	`268`	throw new Parse.Error(Parse.Error.EMAIL_NOT_FOUND, `No user found with email ${email}`);
`269`	`269`	`}`
`270`	`270`	`const user = results[0];`
`271`		`-`
	`271`	`+`
`272`	`272`	`// remove password field, messes with saving on postgres`
`273`	`273`	`delete user.password;`
`274`	`274`