Query for _User does not respect Permissions

[davidruisinger]

Environment Setup

Admin User:

{
  "_id": "O3jWo2iQrF",
  "_rperm": [
    "O3jWo2iQrF"
  ],
  "_wperm": [
    "O3jWo2iQrF"
  ],
  ...
}

Customer 1:

{
  "_id": "Zuic5eMXZi",
  "_rperm": [
    "Zuic5eMXZi",
    "role:admin"
  ],
  "_wperm": [
    "Zuic5eMXZi",
    "role:admin"
  ],
...
}

Customer 2:

{
  "_id": "bbPQI27JJI",
  "_rperm": [
    "bbPQI27JJI",
    "role:admin"
  ],
  "_wperm": [
    "bbPQI27JJI",
    "role:admin"
  ],
...
}

Steps to reproduce

I'm using this query to get a list of users:

    var query = new Parse.Query('_User');
    query.find({
      success: users => {
        console.log(users);
      },
      error: error => {
        console.log("Error: " + error.code + " " + error.message);
      }
    });

Side-Note: For some reasons the query only returns anything if I directly call login upfront. If I call the query again (without login upfront) but the user still is logged in, the query returns an empty array...

Problem:
The admin gets all users back in the query
Customer 1 gets himself AND Customer 2 back.

Expected behavior

Customer 1 ONLY gets himself back
(Query returns result without the need to ALWAYS call login upfront)

[davidruisinger]

It seems like there's a general problem with permissions since my whole setup is not working as expected:
Building on top of the example I posted above I also have a Product:

{
  "_id": "lxKDlOsTpk",
  "_rperm": [
    "*"
  ],
  "_wperm": [
    "role:admin"
  ],
...
}

My Join:user:_Role looks like this:

{
  "relatedId": "O3jWo2iQrF", // Admin User
  "owningId": "ZsRF5ckXsZ" // Admin Role
}

and

{
  "relatedId": "Zuic5eMXZi", // Customer 1
  "owningId": "ibM9P1eVDQ" // Customer Role
}

All user can see the product, which is correct BUT

• the admin can modify the product => Correct
• customer 1 CAN ALSO modify product => WRONG

[flovilmart]

@flavordaaave we merged #841, is that fixing for you?

[gfosco]

I'm not able to reproduce these permissions issues with the current code. Created a test in #878 which covers a mix of what is reported here and in #683.

I'd suggest trying to build a test case, and if you're able to find a problem, please report it in a new issue.

[davidruisinger]

@flovilmart as already mentioned in #683 everything works as it should using latest master branch including #841 👍