Ensure we properly lock user

- Improves find method so we can attempt to read for a write poking the right ACL instead of using masterKey
- This ensure we do not run beforeDelete/beforeFind/beforeSave in the wrong scenarios

Author: flovilmart

spec/ParseUser.spec.js

@@ -525,6 +525,71 @@ describe('Parse.User testing', () => {
     });
   });
 
+  it('never locks himself up', async () => {
+    const user = new Parse.User();
+    await user.signUp({
+      username: 'username',
+      password: 'password'
+    });
+    user.setACL(new Parse.ACL());
+    await user.save();
+    await user.fetch();
+    expect(user.getACL().getReadAccess(user)).toBe(true);
+    expect(user.getACL().getWriteAccess(user)).toBe(true);
+    const publicReadACL = new Parse.ACL();
+    publicReadACL.setPublicReadAccess(true);
+
+    // Create an administrator role with a single admin user
+    const role = new Parse.Role('admin', publicReadACL);
+    const admin = new Parse.User();
+    await admin.signUp({
+      username: 'admin',
+      password: 'admin',
+    });
+    role.getUsers().add(admin);
+    await role.save(null, { useMasterKey: true });
+
+    // Grant the admins write rights on the user
+    const acl = user.getACL();
+    acl.setRoleWriteAccess(role, true);
+    acl.setRoleReadAccess(role, true);
+
+    // Update with the masterKey just to be sure
+    await user.save({ ACL: acl }, { useMasterKey: true });
+
+    // Try to update from admin... should all work fine
+    await user.save({ key: 'fromAdmin'}, { sessionToken: admin.getSessionToken() });
+    await user.fetch();
+    expect(user.toJSON().key).toEqual('fromAdmin');
+
+    // Try to save when logged out (public)
+    let failed = false;
+    try {
+      // Ensure no session token is sent
+      await Parse.User.logOut();
+      await user.save({ key: 'fromPublic'});
+    } catch(e) {
+      failed = true;
+      expect(e.code).toBe(Parse.Error.SESSION_MISSING);
+    }
+    expect({ failed }).toEqual({ failed: true });
+
+    // Try to save with a random user, should fail
+    failed = false;
+    const anyUser = new Parse.User();
+    await anyUser.signUp({
+      username: 'randomUser',
+      password: 'password'
+    });
+    try {
+      await user.save({ key: 'fromAnyUser'});
+    } catch(e) {
+      failed = true;
+      expect(e.code).toBe(Parse.Error.SESSION_MISSING);
+    }
+    expect({ failed }).toEqual({ failed: true });
+  });
+
   it("current user", (done) => {
     const user = new Parse.User();
     user.set("password", "asdf");

spec/helper.js

@@ -114,7 +114,6 @@ if (process.env.PARSE_SERVER_TEST_CACHE === 'redis') {
 }
 
 const openConnections = {};
-
 // Set up a default API server for testing with default configuration.
 let server;
 

src/Auth.js

@@ -21,11 +21,11 @@ function Auth({ config, isMaster = false, isReadOnly = false, user, installation
 
 // Whether this auth could possibly modify the given user id.
 // It still could be forbidden via ACLs even if this returns true.
-Auth.prototype.couldUpdateUserId = function(userId) {
+Auth.prototype.couldUpdateUserId = function() {
   if (this.isMaster) {
     return true;
   }
-  if (this.user && this.user.id === userId) {
+  if (this.user) {
     return true;
   }
   return false;

src/Controllers/DatabaseController.js

@@ -869,7 +869,8 @@ class DatabaseController {
     op,
     distinct,
     pipeline,
-    readPreference
+    readPreference,
+    isWrite,
   }: any = {}): Promise<any> {
     const isMaster = acl === undefined;
     const aclGroup = acl || [];
@@ -930,7 +931,11 @@ class DatabaseController {
                   }
                 }
                 if (!isMaster) {
-                  query = addReadACL(query, aclGroup);
+                  if (isWrite) {
+                    query = addWriteACL(query, aclGroup);
+                  } else {
+                    query = addReadACL(query, aclGroup);
+                  }
                 }
                 validateQuery(query);
                 if (count) {

src/RestQuery.js

@@ -24,12 +24,13 @@ function RestQuery(config, auth, className, restWhere = {}, restOptions = {}, cl
   this.clientSDK = clientSDK;
   this.response = null;
   this.findOptions = {};
+  this.isWrite = false;
+
   if (!this.auth.isMaster) {
-    this.findOptions.acl = this.auth.user ? [this.auth.user.id] : null;
     if (this.className == '_Session') {
-      if (!this.findOptions.acl) {
+      if (!this.auth.user) {
         throw new Parse.Error(Parse.Error.INVALID_SESSION_TOKEN,
-          'This session token is invalid.');
+          'invalid session token');
       }
       this.restWhere = {
         '$and': [this.restWhere, {
@@ -188,17 +189,28 @@ RestQuery.prototype.buildRestWhere = function() {
   });
 }
 
+// Marks the query for a write attempt, so we read the proper ACL (write instead of read)
+RestQuery.prototype.forWrite = function() {
+  this.isWrite = true;
+  return this;
+}
+
 // Uses the Auth object to get the list of roles, adds the user id
 RestQuery.prototype.getUserAndRoleACL = function() {
-  if (this.auth.isMaster || !this.auth.user) {
+  if (this.auth.isMaster) {
     return Promise.resolve();
   }
-  return this.auth.getUserRoles().then((roles) => {
-    // Concat with the roles to prevent duplications on multiple calls
-    const aclSet = new Set([].concat(this.findOptions.acl, roles));
-    this.findOptions.acl = Array.from(aclSet);
+
+  this.findOptions.acl = ['*'];
+
+  if (this.auth.user) {
+    return this.auth.getUserRoles().then((roles) => {
+      this.findOptions.acl = this.findOptions.acl.concat(roles, [this.auth.user.id]);
+      return;
+    });
+  } else {
     return Promise.resolve();
-  });
+  }
 };
 
 // Changes the className if redirectClassNameForKey is set.
@@ -523,6 +535,9 @@ RestQuery.prototype.runFind = function(options = {}) {
   if (options.op) {
     findOptions.op = options.op;
   }
+  if (this.isWrite) {
+    findOptions.isWrite = true;
+  }
   return this.config.database.find(this.className, this.restWhere, findOptions)
     .then((results) => {
       if (this.className === '_User') {

src/RestWrite.js

@@ -965,7 +965,7 @@ RestWrite.prototype.runDatabaseOperation = function() {
 
   if (this.className === '_User' &&
       this.query &&
-      !this.auth.couldUpdateUserId(this.query.objectId)) {
+      !this.auth.couldUpdateUserId()) {
     throw new Parse.Error(Parse.Error.SESSION_MISSING, `Cannot modify user ${this.query.objectId}.`);
   }
 

src/rest.js

@@ -8,7 +8,6 @@
 // things.
 
 var Parse = require('parse/node').Parse;
-import Auth from './Auth';
 
 var RestQuery = require('./RestQuery');
 var RestWrite = require('./RestWrite');
@@ -54,7 +53,7 @@ function del(config, auth, className, objectId) {
       'bad objectId');
   }
 
-  if (className === '_User' && !auth.couldUpdateUserId(objectId)) {
+  if (className === '_User' && !auth.couldUpdateUserId()) {
     throw new Parse.Error(Parse.Error.SESSION_MISSING,
       'insufficient auth to delete user');
   }
@@ -67,7 +66,9 @@ function del(config, auth, className, objectId) {
     const hasTriggers = checkTriggers(className, config, ['beforeDelete', 'afterDelete']);
     const hasLiveQuery = checkLiveQuery(className, config);
     if (hasTriggers || hasLiveQuery || className == '_Session') {
-      return find(config, auth, className, {objectId: objectId})
+      return new RestQuery(config, auth, className, { objectId })
+        .forWrite()
+        .execute()
         .then((response) => {
           if (response && response.results && response.results.length) {
             const firstResult = response.results[0];
@@ -110,6 +111,8 @@ function del(config, auth, className, objectId) {
     }, options);
   }).then(() => {
     return triggers.maybeRunTrigger(triggers.Types.afterDelete, auth, inflatedObject, null, config);
+  }).catch((error) => {
+    handleSessionMissingError(error, className, auth);
   });
 }
 
@@ -130,20 +133,33 @@ function update(config, auth, className, restWhere, restObject, clientSDK) {
     const hasTriggers = checkTriggers(className, config, ['beforeSave', 'afterSave']);
     const hasLiveQuery = checkLiveQuery(className, config);
     if (hasTriggers || hasLiveQuery) {
-      return find(config, Auth.master(config), className, restWhere);
+      // Do not use find, as it runs the before finds
+      return new RestQuery(config, auth, className, restWhere)
+        .forWrite()
+        .execute();
     }
     return Promise.resolve({});
-  }).then((response) => {
+  }).then(({ results }) => {
     var originalRestObject;
-    if (response && response.results && response.results.length) {
-      originalRestObject = response.results[0];
+    if (results && results.length) {
+      originalRestObject = results[0];
     }
-
-    var write = new RestWrite(config, auth, className, restWhere, restObject, originalRestObject, clientSDK);
-    return write.execute();
+    return new RestWrite(config, auth, className, restWhere, restObject, originalRestObject, clientSDK)
+      .execute();
+  }).catch((error) => {
+    handleSessionMissingError(error, className, auth);
   });
 }
 
+function handleSessionMissingError(error, className) {
+  // If we're trying to update a user without / with bad session token
+  if (className === '_User'
+      && error.code === Parse.Error.OBJECT_NOT_FOUND) {
+    throw new Parse.Error(Parse.Error.SESSION_MISSING, 'insuffisant auth.');
+  }
+  throw error;
+}
+
 const classesWithMasterOnlyAccess = ['_JobStatus', '_PushStatus', '_Hooks', '_GlobalConfig', '_JobSchedule'];
 // Disallowing access to the _Role collection except by master key
 function enforceRoleSecurity(method, className, auth) {