diff --git a/spec/ProtectedFields.spec.js b/spec/ProtectedFields.spec.js index 3794996c6e..fdc3c2d10a 100644 --- a/spec/ProtectedFields.spec.js +++ b/spec/ProtectedFields.spec.js @@ -777,7 +777,7 @@ describe('ProtectedFields', function() { object.set('revision', 0); object.set('test', 'test'); - await object.save({ useMasterKey: true }); + await object.save(null, { useMasterKey: true }); } beforeEach(async () => { @@ -812,6 +812,24 @@ describe('ProtectedFields', function() { }) ).toBeResolved(); }); + + it('should not allow protecting default fields', async () => { + const defaultFields = ['objectId', 'createdAt', 'updatedAt', 'ACL']; + for (const field of defaultFields) { + await expectAsync( + updateCLP({ + protectedFields: { + '*': [field], + }, + }) + ).toBeRejectedWith( + new Parse.Error( + Parse.Error.INVALID_JSON, + `Default field '${field}' can not be protected` + ) + ); + } + }); }); describe('targeting public access', () => { @@ -1310,10 +1328,10 @@ describe('ProtectedFields', function() { // admin supersets moder role moder.relation('roles').add(admin); - await moder.save({ useMasterKey: true }); + await moder.save(null, { useMasterKey: true }); tester.relation('roles').add(moder); - await tester.save({ useMasterKey: true }); + await tester.save(null, { useMasterKey: true }); const roleAdmin = `role:${admin.get('name')}`; const roleModer = `role:${moder.get('name')}`; diff --git a/src/Controllers/SchemaController.js b/src/Controllers/SchemaController.js index 6948907744..435a4b5570 100644 --- a/src/Controllers/SchemaController.js +++ b/src/Controllers/SchemaController.js @@ -307,6 +307,13 @@ function validateCLP( // if the field is in form of array for (const field of protectedFields) { + // do not alloow to protect default fields + if (defaultColumns._Default[field]) { + throw new Parse.Error( + Parse.Error.INVALID_JSON, + `Default field '${field}' can not be protected` + ); + } // field should exist on collection if (!Object.prototype.hasOwnProperty.call(fields, field)) { throw new Parse.Error(