"Object not found." instead of "Insufficient auth." when using master key (#5133)

georgesjamous · flovilmart · commit 961abda4eb34 · 2018-10-22T19:33:43.000-04:00
* add additional isMaster check

* adding some tests

* nits

* covering all basis
diff --git a/spec/ParseUser.spec.js b/spec/ParseUser.spec.js
@@ -3314,7 +3314,9 @@ describe('Parse.User testing', () => {
         done();
       });
     });
-  }).pend('this test fails.  See: https://github.com/parse-community/parse-server/issues/5097');
+  }).pend(
+    'this test fails.  See: https://github.com/parse-community/parse-server/issues/5097'
+  );
 
   it('should be able to update user with authData passed', done => {
     let objectId;
@@ -3686,6 +3688,35 @@ describe('Parse.User testing', () => {
       .then(done, done.fail);
   });
 
+  it('should throw OBJECT_NOT_FOUND instead of SESSION_MISSING when using masterKey', async () => {
+    // create a fake user (just so we simulate an object not found)
+    const non_existent_user = Parse.User.createWithoutData('fake_id');
+    try {
+      await non_existent_user.destroy({ useMasterKey: true });
+      throw '';
+    } catch (e) {
+      expect(e.code).toBe(Parse.Error.OBJECT_NOT_FOUND);
+    }
+    try {
+      await non_existent_user.save({}, { useMasterKey: true });
+      throw '';
+    } catch (e) {
+      expect(e.code).toBe(Parse.Error.OBJECT_NOT_FOUND);
+    }
+    try {
+      await non_existent_user.save();
+      throw '';
+    } catch (e) {
+      expect(e.code).toBe(Parse.Error.SESSION_MISSING);
+    }
+    try {
+      await non_existent_user.destroy();
+      throw '';
+    } catch (e) {
+      expect(e.code).toBe(Parse.Error.SESSION_MISSING);
+    }
+  });
+
   describe('issue #4897', () => {
     it_only_db('mongo')(
       'should be able to login with a legacy user (no ACL)',
diff --git a/src/rest.js b/src/rest.js
@@ -250,9 +250,13 @@ function update(config, auth, className, restWhere, restObject, clientSDK) {
     });
 }
 
-function handleSessionMissingError(error, className) {
+function handleSessionMissingError(error, className, auth) {
   // If we're trying to update a user without / with bad session token
-  if (className === '_User' && error.code === Parse.Error.OBJECT_NOT_FOUND) {
+  if (
+    className === '_User' &&
+    error.code === Parse.Error.OBJECT_NOT_FOUND &&
+    !auth.isMaster
+  ) {
     throw new Parse.Error(Parse.Error.SESSION_MISSING, 'Insufficient auth.');
   }
   throw error;
