diff --git a/spec/ParseRole.spec.js b/spec/ParseRole.spec.js index 44476f1bd2..919e0b5544 100644 --- a/spec/ParseRole.spec.js +++ b/spec/ParseRole.spec.js @@ -49,7 +49,7 @@ describe('Parse Role testing', () => { }).then((x) => { x.set('foo', 'baz'); // This should fail: - return x.save(); + return x.save({},{sessionToken: ""}); }).then((x) => { fail('Should not have been able to save.'); }, (e) => { diff --git a/src/Auth.js b/src/Auth.js index ad9056549a..27bbf885b0 100644 --- a/src/Auth.js +++ b/src/Auth.js @@ -80,7 +80,7 @@ Auth.prototype.getUserRoles = function() { return Promise.resolve(this.userRoles); } if (this.rolePromise) { - return rolePromise; + return this.rolePromise; } this.rolePromise = this._loadRoles(); return this.rolePromise; diff --git a/src/RestWrite.js b/src/RestWrite.js index 54f5cfc996..777973d76d 100644 --- a/src/RestWrite.js +++ b/src/RestWrite.js @@ -27,6 +27,7 @@ function RestWrite(config, auth, className, query, data, originalData) { this.auth = auth; this.className = className; this.storage = {}; + this.runOptions = {}; if (!query && data.objectId) { throw new Parse.Error(Parse.Error.INVALID_KEY_NAME, 'objectId ' + @@ -66,6 +67,8 @@ function RestWrite(config, auth, className, query, data, originalData) { // status and location are optional. RestWrite.prototype.execute = function() { return Promise.resolve().then(() => { + return this.getUserAndRoleACL(); + }).then(() => { return this.validateSchema(); }).then(() => { return this.handleInstallation(); @@ -88,6 +91,25 @@ RestWrite.prototype.execute = function() { }); }; +// Uses the Auth object to get the list of roles, adds the user id +RestWrite.prototype.getUserAndRoleACL = function() { + if (this.auth.isMaster) { + return Promise.resolve(); + } + + this.runOptions.acl = ['*']; + + if( this.auth.user ){ + return this.auth.getUserRoles().then((roles) => { + roles.push(this.auth.user.id); + this.runOptions.acl = this.runOptions.acl.concat(roles); + return Promise.resolve(); + }); + }else{ + return Promise.resolve(); + } +}; + // Validates this operation against the schema. RestWrite.prototype.validateSchema = function() { return this.config.database.validateObject(this.className, this.data); @@ -690,18 +712,10 @@ RestWrite.prototype.runDatabaseOperation = function() { throw new Parse.Error(Parse.Error.INVALID_ACL, 'Invalid ACL.'); } - var options = {}; - if (!this.auth.isMaster) { - options.acl = ['*']; - if (this.auth.user) { - options.acl.push(this.auth.user.id); - } - } - if (this.query) { // Run an update return this.config.database.update( - this.className, this.query, this.data, options).then((resp) => { + this.className, this.query, this.data, this.runOptions).then((resp) => { this.response = resp; this.response.updatedAt = this.updatedAt; }); @@ -714,7 +728,7 @@ RestWrite.prototype.runDatabaseOperation = function() { this.data.ACL = ACL; } // Run a create - return this.config.database.create(this.className, this.data, options) + return this.config.database.create(this.className, this.data, this.runOptions) .then(() => { var resp = { objectId: this.data.objectId, diff --git a/src/rest.js b/src/rest.js index 552fa6be8c..094e8ab63e 100644 --- a/src/rest.js +++ b/src/rest.js @@ -56,12 +56,19 @@ function del(config, auth, className, objectId) { }); } return Promise.resolve({}); + }).then(() => { + if (!auth.isMaster) { + return auth.getUserRoles(); + }else{ + return Promise.resolve(); + } }).then(() => { var options = {}; if (!auth.isMaster) { options.acl = ['*']; if (auth.user) { options.acl.push(auth.user.id); + options.acl = options.acl.concat(auth.userRoles); } }