protectedFields user white-listing not working for custom classes

[Dobbias]

Issue Description

When using protectedFields on a custom class and adding a userId to the object ACL (read) in the custom class, the ACL is ignored and the protected fields are not returned when the specified user is logged in and requests the document. Using roles works with ACL and protectedFields.

The problem can be traced back to the addProtectedFields function in DatabaseController.js:

The following check in the function:
if ( Object.keys(query).length === 0 && auth && auth.user && aclGroup.indexOf(auth.user.id) > -1 ) return null;

does support the behavior of white-listing users for the protectedFields but since Object.keys(query).length === 0 almost always is larger than 0 for queries the condition is almost never true, besides the user having permission to read the protectedFields.

Steps to reproduce

1. Create a custom class
2. Add protected fields
3. Create an object in the custom class
4. Add a user to the object ACL with read permission
5. Request the object as the user added to the ACL
6. Protected fields are not returned

Expected Results

The protected fields are returned since the user has the read ACL permission.

Actual Outcome

The protected fields are not returned.

Environment Setup

• Server

  • parse-server version: 3.7.2
  • Operating System: Arch Linux
  • Hardware: [FILL THIS OUT]
  • Localhost or remote server?: localhost

• Database

  • MongoDB version: 4.0.11
  • Storage engine: [FILL THIS OUT]
  • Hardware: [FILL THIS OUT]
  • Localhost or remote server?: mongoDB Atlas

Logs/Trace

[davimacedo]

@Dobbias thanks for reporting and investigating the issue. Would you be willed to send a PR with a test case and your proposed solution?

[Dobbias]

@davimacedo I'll work on it next week, if I got some spare time.