You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When using protectedFields on a custom class and adding a userId to the object ACL (read) in the custom class, the ACL is ignored and the protected fields are not returned when the specified user is logged in and requests the document. Using roles works with ACL and protectedFields.
The problem can be traced back to the addProtectedFields function in DatabaseController.js:
The following check in the function: if ( Object.keys(query).length === 0 && auth && auth.user && aclGroup.indexOf(auth.user.id) > -1 ) return null;
does support the behavior of white-listing users for the protectedFields but since Object.keys(query).length === 0 almost always is larger than 0 for queries the condition is almost never true, besides the user having permission to read the protectedFields.
Steps to reproduce
Create a custom class
Add protected fields
Create an object in the custom class
Add a user to the object ACL with read permission
Request the object as the user added to the ACL
Protected fields are not returned
Expected Results
The protected fields are returned since the user has the read ACL permission.
Actual Outcome
The protected fields are not returned.
Environment Setup
Server
parse-server version: 3.7.2
Operating System: Arch Linux
Hardware: [FILL THIS OUT]
Localhost or remote server?: localhost
Database
MongoDB version: 4.0.11
Storage engine: [FILL THIS OUT]
Hardware: [FILL THIS OUT]
Localhost or remote server?: mongoDB Atlas
Logs/Trace
The text was updated successfully, but these errors were encountered:
Issue Description
When using
protectedFields
on a custom class and adding a userId to the object ACL (read) in the custom class, the ACL is ignored and the protected fields are not returned when the specified user is logged in and requests the document. Using roles works with ACL andprotectedFields
.The problem can be traced back to the
addProtectedFields
function in DatabaseController.js:The following check in the function:
if ( Object.keys(query).length === 0 && auth && auth.user && aclGroup.indexOf(auth.user.id) > -1 ) return null;
does support the behavior of white-listing users for the
protectedFields
but sinceObject.keys(query).length === 0
almost always is larger than 0 for queries the condition is almost never true, besides the user having permission to read theprotectedFields
.Steps to reproduce
Expected Results
The protected fields are returned since the user has the read ACL permission.
Actual Outcome
The protected fields are not returned.
Environment Setup
Server
Database
Logs/Trace
The text was updated successfully, but these errors were encountered: