Do not allow to protect default fields (parse-community#6439)

* consider default columns * disallow protecting default fields
UnderratedDev · Feb 28, 2020 · fb31b8b · fb31b8b
1 parent b0ca97f
commit fb31b8b
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 3 deletions.
diff --git a/spec/ProtectedFields.spec.js b/spec/ProtectedFields.spec.js
@@ -777,7 +777,7 @@ describe('ProtectedFields', function() {
       object.set('revision', 0);
       object.set('test', 'test');
 
-      await object.save({ useMasterKey: true });
+      await object.save(null, { useMasterKey: true });
     }
 
     beforeEach(async () => {
@@ -812,6 +812,24 @@ describe('ProtectedFields', function() {
         })
       ).toBeResolved();
     });
+
+    it('should not allow protecting default fields', async () => {
+      const defaultFields = ['objectId', 'createdAt', 'updatedAt', 'ACL'];
+      for (const field of defaultFields) {
+        await expectAsync(
+          updateCLP({
+            protectedFields: {
+              '*': [field],
+            },
+          })
+        ).toBeRejectedWith(
+          new Parse.Error(
+            Parse.Error.INVALID_JSON,
+            `Default field '${field}' can not be protected`
+          )
+        );
+      }
+    });
   });
 
   describe('targeting public access', () => {
@@ -1310,10 +1328,10 @@ describe('ProtectedFields', function() {
 
       // admin supersets moder role
       moder.relation('roles').add(admin);
-      await moder.save({ useMasterKey: true });
+      await moder.save(null, { useMasterKey: true });
 
       tester.relation('roles').add(moder);
-      await tester.save({ useMasterKey: true });
+      await tester.save(null, { useMasterKey: true });
 
       const roleAdmin = `role:${admin.get('name')}`;
       const roleModer = `role:${moder.get('name')}`;

diff --git a/src/Controllers/SchemaController.js b/src/Controllers/SchemaController.js
@@ -307,6 +307,13 @@ function validateCLP(
 
         // if the field is in form of array
         for (const field of protectedFields) {
+          // do not alloow to protect default fields
+          if (defaultColumns._Default[field]) {
+            throw new Parse.Error(
+              Parse.Error.INVALID_JSON,
+              `Default field '${field}' can not be protected`
+            );
+          }
           // field should exist on collection
           if (!Object.prototype.hasOwnProperty.call(fields, field)) {
             throw new Parse.Error(