Apply credential stripping to all untransforms for _User (parse-community#1498) (reverted from commit d57e384)

steven-supersolid · steven-supersolid · commit c1bc8335212a · 2016-04-20T12:46:40.000+01:00
diff --git a/spec/RestQuery.spec.js b/spec/RestQuery.spec.js
@@ -7,9 +7,6 @@ var rest = require('../src/rest');
 var querystring = require('querystring');
 var request = require('request');
 
-var DatabaseAdapter = require('../src/DatabaseAdapter');
-var database = DatabaseAdapter.getDatabaseConnection('test', 'test_');
-
 var config = new Config('test');
 var nobody = auth.nobody(config);
 
@@ -38,40 +35,6 @@ describe('rest query', () => {
     });
   });
 
-  describe('query for user w/ legacy credentials', () => {
-    var data = {
-      username: 'blah',
-      password: 'pass',
-      sessionToken: 'abc123',
-    }
-    describe('without masterKey', () => {
-      it('has them stripped from results', (done) => {
-        database.create('_User', data).then(() => {
-          return rest.find(config, nobody, '_User')
-        }).then((result) => {
-          var user = result.results[0];
-          expect(user.username).toEqual('blah');
-          expect(user.sessionToken).toBeUndefined();
-          expect(user.password).toBeUndefined();
-          done();
-        });
-      });
-    });
-    describe('with masterKey', () => {
-      it('has them stripped from results', (done) => {
-        database.create('_User', data).then(() => {
-          return rest.find(config, {isMaster: true}, '_User')
-        }).then((result) => {
-          var user = result.results[0];
-          expect(user.username).toEqual('blah');
-          expect(user.sessionToken).toBeUndefined();
-          expect(user.password).toBeUndefined();
-          done();
-        });
-      });
-    });
-  });
-
   // Created to test a scenario in AnyPic
   it('query with include', (done) => {
     var photo = {
diff --git a/src/Controllers/DatabaseController.js b/src/Controllers/DatabaseController.js
@@ -127,13 +127,12 @@ DatabaseController.prototype.untransformObject = function(
     return object;
   }
 
-  delete object.authData;
-  delete object.sessionToken;
-
   if (isMaster || (aclGroup.indexOf(object.objectId) > -1)) {
     return object;
   }
 
+  delete object.authData;
+  delete object.sessionToken;
   return object;
 };
 

Original file line number	Diff line number	Diff line change
`@@ -127,13 +127,12 @@ DatabaseController.prototype.untransformObject = function(`
`127`	`127`	`return object;`
`128`	`128`	`}`
`129`	`129`
`130`		`- delete object.authData;`
`131`		`- delete object.sessionToken;`
`132`		`-`
`133`	`130`	`if (isMaster \|\| (aclGroup.indexOf(object.objectId) > -1)) {`
`134`	`131`	`return object;`
`135`	`132`	`}`
`136`	`133`
	`134`	`+ delete object.authData;`
	`135`	`+ delete object.sessionToken;`
`137`	`136`	`return object;`
`138`	`137`	`};`
`139`	`138`