LiveQuery does not respect class level permission

[davidruisinger]

Issue Description

I'm trying to set up a messaging functionality with parse server. So I have a Message class which includes a column author. author is a Pointer to the user who created the message object.

Then I've configured the class level permissions so that ONLY the author itself has read access:

When I do a normal GET via the RESTApi, I only get the messages the user created itself (as expected).

But my LiveQuery is triggered for message created by other users...

    // Subscribe to new messages
    let messageQuery = new Parse.Query('Message')
    let subscription = messageQuery.subscribe({
      sessionToken: <SESSION TOKEN FOR THE AUTHOR>,
    })
    subscription.on('create', object => {
      console.log('object created ', object.toJSON()) // Get's called ANYTIME a new message is created
    })

Steps to reproduce

1. Create a class with a column author as a Pointer to the _User class
2. Configure class level permissions to read permission ONLY for author itself
3. Subscribe to the class as described above (using SessionToken)
4. Create a new Message with an author that is NOT the user itself

Expected Results

Subscription event created is NOT triggered

Actual Outcome

Subscription event created IS triggered even though the subscriber is NOT the author

Environment Setup

• Server
  • parse-server version 2.3.2
  • Operating System: Mac OS
  • Hardware: MacBook Pro 15"
  • Localhost or remote server? localhost

Logs/Trace

You can turn on additional logging by configuring VERBOSE=1 in your environment.
When subscribing to the Message class:

info: Create new client: 0
verbose: Push Response : "{\"op\":\"connected\",\"clientId\":0}"
verbose: Request: {"op":"subscribe","requestId":1,"query":{"className":"Message","where":{}}}
verbose: Push Response : "{\"op\":\"subscribed\",\"clientId\":0,\"requestId\":1}"
verbose: Create client 0 new subscription: 1
verbose: Current client number: 1

When creating a new message as a different user:

verbose: REQUEST for [POST] /parse/classes/Message: {
  "author": {
    "__type": "Pointer",
    "className": "_User",
    "objectId": "RBPw96ozVA"
  },
  "chat": {
    "__type": "Pointer",
    "className": "Chat",
    "objectId": "mNk88SvhOB"
  },
  "content": "Message from another user"
} method=POST, url=/parse/classes/Message, x-parse-application-id=dongxii, x-parse-master-key=HbVS8LF1FWpruDqtX0HdVDdWJ5vVOqE, content-type=application/json, host=localhost:1337, content-length=184, connection=close, __type=Pointer, className=_User, objectId=RBPw96ozVA, __type=Pointer, className=Chat, objectId=mNk88SvhOB, content=Message from another user
verbose: Raw request from cloud code current : {"author":{"__type":"Pointer","className":"_User","objectId":"RBPw96ozVA"},"chat":{"__type":"Pointer","className":"Chat","objectId":"mNk88SvhOB"},"content":"Message from another user","createdAt":"2017-01-24T18:28:27.851Z","updatedAt":"2017-01-24T18:28:27.851Z","objectId":"c5FSZSf3D7"} | original : undefined
verbose: Subscribe messsage "{\"currentParseObject\":{\"author\":{\"__type\":\"Pointer\",\"className\":\"_User\",\"objectId\":\"RBPw96ozVA\"},\"chat\":{\"__type\":\"Pointer\",\"className\":\"Chat\",\"objectId\":\"mNk88SvhOB\"},\"content\":\"Message from another user\",\"createdAt\":\"2017-01-24T18:28:27.851Z\",\"updatedAt\":\"2017-01-24T18:28:27.851Z\",\"objectId\":\"c5FSZSf3D7\",\"__type\":\"Object\",\"className\":\"Message\"}}"
verbose: dongxiiafterSave is triggered
verbose: ClassName: Message | ObjectId: undefined
verbose: Current client number : 1
verbose: RESPONSE from [POST] /parse/classes/Message: {
  "status": 201,
  "response": {
    "objectId": "c5FSZSf3D7",
    "createdAt": "2017-01-24T18:28:27.851Z"
  },
  "location": "http://localhost:1337/parse/classes/Message/c5FSZSf3D7"
} status=201, objectId=c5FSZSf3D7, createdAt=2017-01-24T18:28:27.851Z, location=http://localhost:1337/parse/classes/Message/c5FSZSf3D7
verbose: Original null | Current {"author":{"__type":"Pointer","className":"_User","objectId":"RBPw96ozVA"},"chat":{"__type":"Pointer","className":"Chat","objectId":"mNk88SvhOB"},"content":"Message from another user","createdAt":"2017-01-24T18:28:27.851Z","updatedAt":"2017-01-24T18:28:27.851Z","__type":"Object","className":"Message","objectId":"c5FSZSf3D7"} | Match: false, true, false, true | Query: Message:|[]
verbose: Push Response : "{\"op\":\"create\",\"clientId\":0,\"requestId\":1,\"object\":{\"author\":{\"__type\":\"Pointer\",\"className\":\"_User\",\"objectId\":\"RBPw96ozVA\"},\"chat\":{\"__type\":\"Pointer\",\"className\":\"Chat\",\"objectId\":\"mNk88SvhOB\"},\"content\":\"Message from another user\",\"createdAt\":\"2017-01-24T18:28:27.851Z\",\"updatedAt\":\"2017-01-24T18:28:27.851Z\",\"__type\":\"Object\",\"className\":\"Message\",\"objectId\":\"c5FSZSf3D7\"}}"

[davidruisinger]

Update
As I just noticed from the docs, the sessionToken is passed in a different way:

      let LiveQueryClient = Parse.LiveQueryClient
      let client = new LiveQueryClient({
        applicationId: 'MYApp',
        serverURL: 'ws://localhost:1337/parse',
      })
      client.open()
      // Subscribe to new messages
      let messageQuery = new Parse.Query('Message')
      let subscription = client.subscribe(messageQuery, <MY SESSION TOKEN>)

But still, even if NO session token is passed to the parse server, the LiveQuery should still respect the class level permission.

[natanrolnik]

Thanks for reporting the issue in detail, @flavordaaave.
A very similar one was open in #2851, for the record.

[flovilmart]

I’m working on it now, it will be part of 2.7.0

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.