diff --git a/CHANGELOG.md b/CHANGELOG.md index ca6cb0bb94..03c0ea0781 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,9 +3,18 @@ ### master [Full Changelog](https://github.com/parse-community/parse-server/compare/2.7.0...master) +### 2.7.1 +[Full Changelog](https://github.com/parse-community/parse-server/compare/2.7.1...2.7.0) + +:warning: Fixes a security issue affecting Class Level Permissions + +* Adds support for dot notation when using matchesKeyInQuery, thanks to [Henrik](https://github.com/bohemima) and [Arthur Cinader](https://github.com/acinader) + ### 2.7.0 [Full Changelog](https://github.com/parse-community/parse-server/compare/2.7.0...2.6.5) +:warning: This version contains an issue affecting Class Level Permissions on mongoDB. Please upgrade to 2.7.1. + Starting parse-server 2.7.0, the minimun nodejs version is 6.11.4, please update your engines before updating parse-server #### New Features: diff --git a/package.json b/package.json index 72e7533f84..0a6ce60975 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "parse-server", - "version": "2.7.0", + "version": "2.7.1", "description": "An express module providing a Parse-compatible API server", "main": "lib/index.js", "repository": { diff --git a/spec/schemas.spec.js b/spec/schemas.spec.js index 8c7481d9bb..8f689d7189 100644 --- a/spec/schemas.spec.js +++ b/spec/schemas.spec.js @@ -2,6 +2,7 @@ var Parse = require('parse/node').Parse; var request = require('request'); +const rp = require('request-promise'); var dd = require('deep-diff'); var Config = require('../src/Config'); @@ -1721,6 +1722,35 @@ describe('schemas', () => { }); }); + + it("regression test for #4409 (indexes override the clp)", done => { + setPermissionsOnClass('_Role', { + 'get': {"*": true}, + 'find': {"*": true}, + 'create': {'*': true}, + }, true).then(() => { + const config = Config.get('test'); + return config.database.adapter.updateSchemaWithIndexes(); + }).then(() => { + return rp.get({ + url: 'http://localhost:8378/1/schemas/_Role', + headers: masterKeyHeaders, + json: true, + }); + }).then((res) => { + expect(res.classLevelPermissions).toEqual({ + 'get': {"*": true}, + 'find': {"*": true}, + 'create': {'*': true}, + 'update': {}, + 'delete': {}, + 'addField': {}, + }); + console.log(res); + }).then(done).catch(done.fail); + }); + + it('regression test for #2246', done => { const profile = new Parse.Object('UserProfile'); const user = new Parse.User(); diff --git a/src/Adapters/Storage/Mongo/MongoStorageAdapter.js b/src/Adapters/Storage/Mongo/MongoStorageAdapter.js index cd70cf9bb5..5158e58c14 100644 --- a/src/Adapters/Storage/Mongo/MongoStorageAdapter.js +++ b/src/Adapters/Storage/Mongo/MongoStorageAdapter.js @@ -166,7 +166,7 @@ export class MongoStorageAdapter { setClassLevelPermissions(className, CLPs) { return this._schemaCollection() .then(schemaCollection => schemaCollection.updateSchema(className, { - $set: { _metadata: { class_permissions: CLPs } } + $set: { '_metadata.class_permissions': CLPs } })); } @@ -212,7 +212,7 @@ export class MongoStorageAdapter { .then(() => insertPromise) .then(() => this._schemaCollection()) .then(schemaCollection => schemaCollection.updateSchema(className, { - $set: { _metadata: { indexes: existingIndexes } } + $set: { '_metadata.indexes': existingIndexes } })); } @@ -231,7 +231,7 @@ export class MongoStorageAdapter { }, {}); return this._schemaCollection() .then(schemaCollection => schemaCollection.updateSchema(className, { - $set: { _metadata: { indexes: indexes } } + $set: { '_metadata.indexes': indexes } })); }).catch(() => { // Ignore if collection not found