query.distinct ignores ACL permissions

[stevestencil]

Issue Description

When making a query using the query.distinct(), ACL and CLP permissions are ignored.

Steps to reproduce

    const query = new Parse.Query(<custom class name with ACLs>);
    const token = { sessionToken: req.user.getSessionToken() };
    const results = await query.distinct(<custom property>, token);

Expected Results

Only the unique results from the allowed objects via the ACL and CLP permissions should be returned

Actual Outcome

Every unique value from every object regardless of ACL and CLP permissions is being returned

Environment Setup

• Server

  • parse-server version (Be specific! Don't say 'latest'.) : 2.8.2
  • Operating System: OSX 10.4
  • Hardware: iMac i7
  • Localhost or remote server? (AWS, Heroku, Azure, Digital Ocean, etc): Localhost

• Database

  • MongoDB version: ?
  • Storage engine: ?
  • Hardware: ?
  • Localhost or remote server? (AWS, mLab, ObjectRocket, Digital Ocean, etc): mLab

[acinader]

I think that this is the expected behavior. If you look at the JS SDK documentation https://docs.parseplatform.org/js/guide/#distinct note that it explicitly calls out that the master key is required. When the master key is used, ACLs & CLPs are ignored.

[stevestencil]

I do not believe this is correct. This is not how it should work in my opinion. In the API reference section of the docs (not the Guide) https://parseplatform.org/Parse-SDK-JS/api/master/Parse.Query.html#distinct, it shows that you can pass a session token in.

The expected behavior should be as a normal find() query. You should be able to pass in the master key if you want ALL results and a session token if you want the ACL CLP results.

[flovilmart]

The documentation is wrong then we never intended to make the distinct / aggregates work with ACL’s and CLP IIRC. @dplewis what do you think?

[stevestencil]

Having it be able to use the ACL's and CLP's would be more beneficial as it would give the option to pass in a session token or master key depending on the need.

[flovilmart]

You can always open a PR to support this feature if this is something you need. We’ll promptly review and most likely guide you through the hoops

[dplewis]

Per our dicussion #4197

We used MasterKey to prevent DDOS attacks as aggregates can be expensive operation, we didn't talk much about ACL's / CLP's.

Didn't want a repeat of #3813

@flovilmart Your solution to #3813 was to add count class level permission. Maybe we could do the same for aggregates?

[flovilmart]

Perhaps? We should probably update the dashboard as well :)

[dplewis]

I've had the issue open for a while. parse-community/parse-dashboard#888 I can take a crack at it. Don't know react that well tho.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[micaelomota]

has anybody found a solution for this?
I have a class "Race" and other "Driver". The race has a pointer to the Driver. I'm trying to do like
$query->distinct("driver"); with the PHP SDK.