Adds support for CLP in Live query (no support for roles yet)

Author: flovilmart

spec/ParseLiveQueryServer.spec.js

@@ -1058,6 +1058,92 @@ describe('ParseLiveQueryServer', function() {
 
   });
 
+  describe('class level permissions', () => {
+    it('matches CLP when find is closed', (done) => {
+      var parseLiveQueryServer = new ParseLiveQueryServer(10, 10, {});
+      var acl = new Parse.ACL();
+      acl.setReadAccess(testUserId, true);
+      // Mock sessionTokenCache will return false when sessionToken is undefined
+      var client = {
+        sessionToken: 'sessionToken',
+        getSubscriptionInfo: jasmine.createSpy('getSubscriptionInfo').and.returnValue({
+          sessionToken: undefined
+        })
+      };
+      var requestId = 0;
+
+      parseLiveQueryServer._matchesCLP({
+        find: {}
+      }, { className: 'Yolo' }, client, requestId, 'find').then((isMatched) => {
+        expect(isMatched).toBe(false);
+        done();
+      });
+    });
+
+    it('matches CLP when find is open', (done) => {
+      var parseLiveQueryServer = new ParseLiveQueryServer(10, 10, {});
+      var acl = new Parse.ACL();
+      acl.setReadAccess(testUserId, true);
+      // Mock sessionTokenCache will return false when sessionToken is undefined
+      var client = {
+        sessionToken: 'sessionToken',
+        getSubscriptionInfo: jasmine.createSpy('getSubscriptionInfo').and.returnValue({
+          sessionToken: undefined
+        })
+      };
+      var requestId = 0;
+
+      parseLiveQueryServer._matchesCLP({
+        find: { '*': true }
+      }, { className: 'Yolo' }, client, requestId, 'find').then((isMatched) => {
+        expect(isMatched).toBe(true);
+        done();
+      });
+    });
+
+    it('matches CLP when find is restricted to userIds', (done) => {
+      var parseLiveQueryServer = new ParseLiveQueryServer(10, 10, {});
+      var acl = new Parse.ACL();
+      acl.setReadAccess(testUserId, true);
+      // Mock sessionTokenCache will return false when sessionToken is undefined
+      var client = {
+        sessionToken: 'sessionToken',
+        getSubscriptionInfo: jasmine.createSpy('getSubscriptionInfo').and.returnValue({
+          sessionToken: 'userId'
+        })
+      };
+      var requestId = 0;
+
+      parseLiveQueryServer._matchesCLP({
+        find: { 'userId': true }
+      }, { className: 'Yolo' }, client, requestId, 'find').then((isMatched) => {
+        expect(isMatched).toBe(true);
+        done();
+      });
+    });
+
+    it('matches CLP when find is restricted to userIds', (done) => {
+      var parseLiveQueryServer = new ParseLiveQueryServer(10, 10, {});
+      var acl = new Parse.ACL();
+      acl.setReadAccess(testUserId, true);
+      // Mock sessionTokenCache will return false when sessionToken is undefined
+      var client = {
+        sessionToken: 'sessionToken',
+        getSubscriptionInfo: jasmine.createSpy('getSubscriptionInfo').and.returnValue({
+          sessionToken: undefined
+        })
+      };
+      var requestId = 0;
+
+      parseLiveQueryServer._matchesCLP({
+        find: { 'userId': true }
+      }, { className: 'Yolo' }, client, requestId, 'find').then((isMatched) => {
+        expect(isMatched).toBe(false);
+        done();
+      });
+    });
+  });
+
   it('can validate key when valid key is provided', function() {
     var parseLiveQueryServer = new ParseLiveQueryServer({}, {
       keyPairs: {

src/Controllers/LiveQueryController.js

@@ -16,33 +16,36 @@ export class LiveQueryController {
     this.liveQueryPublisher = new ParseCloudCodePublisher(config);
   }
 
-  onAfterSave(className: string, currentObject: any, originalObject: any) {
+  onAfterSave(className: string, currentObject: any, originalObject: any, classLevelPermissions: ?any) {
     if (!this.hasLiveQuery(className)) {
       return;
     }
-    const req = this._makePublisherRequest(currentObject, originalObject);
+    const req = this._makePublisherRequest(currentObject, originalObject, classLevelPermissions);
     this.liveQueryPublisher.onCloudCodeAfterSave(req);
   }
 
-  onAfterDelete(className: string, currentObject: any, originalObject: any) {
+  onAfterDelete(className: string, currentObject: any, originalObject: any, classLevelPermissions: any) {
     if (!this.hasLiveQuery(className)) {
       return;
     }
-    const req = this._makePublisherRequest(currentObject, originalObject);
+    const req = this._makePublisherRequest(currentObject, originalObject, classLevelPermissions);
     this.liveQueryPublisher.onCloudCodeAfterDelete(req);
   }
 
   hasLiveQuery(className: string): boolean {
     return this.classNames.has(className);
   }
 
-  _makePublisherRequest(currentObject: any, originalObject: any): any {
+  _makePublisherRequest(currentObject: any, originalObject: any, classLevelPermissions: ?any): any {
     const req = {
       object: currentObject
     };
     if (currentObject) {
       req.original = originalObject;
     }
+    if (classLevelPermissions) {
+      req.classLevelPermissions = classLevelPermissions;
+    }
     return req;
   }
 }

src/LiveQuery/ParseLiveQueryServer.js

@@ -8,6 +8,7 @@ import RequestSchema from './RequestSchema';
 import { matchesQuery, queryHash } from './QueryTools';
 import { ParsePubSub } from './ParsePubSub';
 import { SessionTokenCache } from './SessionTokenCache';
+import SchemaController from '../Controllers/SchemaController';
 import _ from 'lodash';
 import uuid from 'uuid';
 import { runLiveQueryEventHandlers } from '../triggers';
@@ -107,6 +108,7 @@ class ParseLiveQueryServer {
     logger.verbose(Parse.applicationId + 'afterDelete is triggered');
 
     const deletedParseObject = message.currentParseObject.toJSON();
+    const classLevelPermissions = message.classLevelPermissions;
     const className = deletedParseObject.className;
     logger.verbose('ClassName: %j | ObjectId: %s', className, deletedParseObject.id);
     logger.verbose('Current client number : %d', this.clients.size);
@@ -128,13 +130,17 @@ class ParseLiveQueryServer {
         }
         for (const requestId of requestIds) {
           const acl = message.currentParseObject.getACL();
-          // Check ACL
-          this._matchesACL(acl, client, requestId).then((isMatched) => {
+          // Check CLP
+          const op = this._getCLPOperation(subscription.query);
+          this._matchesCLP(classLevelPermissions, message.currentParseObject, client, requestId, op).then(() => {
+            // Check ACL
+            return this._matchesACL(acl, client, requestId)
+          }).then((isMatched) => {
             if (!isMatched) {
               return null;
             }
             client.pushDelete(requestId, deletedParseObject);
-          }, (error) => {
+          }).catch((error) => {
             logger.error('Matching ACL error : ', error);
           });
         }
@@ -151,6 +157,7 @@ class ParseLiveQueryServer {
     if (message.originalParseObject) {
       originalParseObject = message.originalParseObject.toJSON();
     }
+    const classLevelPermissions = message.classLevelPermissions;
     const currentParseObject = message.currentParseObject.toJSON();
     const className = currentParseObject.className;
     logger.verbose('ClassName: %s | ObjectId: %s', className, currentParseObject.id);
@@ -191,11 +198,13 @@ class ParseLiveQueryServer {
             const currentACL = message.currentParseObject.getACL();
             currentACLCheckingPromise = this._matchesACL(currentACL, client, requestId);
           }
-
-          Parse.Promise.when(
-            originalACLCheckingPromise,
-            currentACLCheckingPromise
-          ).then((isOriginalMatched, isCurrentMatched) => {
+          const op = this._getCLPOperation(subscription.query);
+          this._matchesCLP(classLevelPermissions, message.currentParseObject, client, requestId, op).then(() => {
+            return Parse.Promise.when(
+              originalACLCheckingPromise,
+              currentACLCheckingPromise
+            );
+          }).then((isOriginalMatched, isCurrentMatched) => {
             logger.verbose('Original %j | Current %j | Match: %s, %s, %s, %s | Query: %s',
               originalParseObject,
               currentParseObject,
@@ -327,6 +336,52 @@ class ParseLiveQueryServer {
     return matchesQuery(parseObject, subscription.query);
   }
 
+  _matchesCLP(classLevelPermissions: ?any, object: any, client: any, requestId: number, op: string): any {
+    return Parse.Promise.as().then(() => {
+      // try to match on user first, less expensive than with roles
+      const subscriptionInfo = client.getSubscriptionInfo(requestId);
+      if (typeof subscriptionInfo === 'undefined') {
+        return Parse.Promise.as(['*']);
+      }
+      let foundUserId;
+      const subscriptionSessionToken = subscriptionInfo.sessionToken;
+      return this.sessionTokenCache.getUserId(subscriptionSessionToken).then((userId) => {
+        foundUserId = userId;
+        if (userId) {
+          return Parse.Promise.as(['*', userId]);
+        }
+        return Parse.Promise.as(['*']);
+      }).then((aclGroup) => {
+        console.log(aclGroup); // eslint-disable-line
+        try {
+          return SchemaController.validatePermission(classLevelPermissions, object.className, aclGroup, op).then(() => {
+            return Parse.Promise.as(true);
+          });
+        } catch(e) {
+          logger.verbose(`Failed matching CLP for ${object.id} ${foundUserId} ${e}`);
+          return Parse.Promise.as(false);
+        }
+        // TODO: handle roles permissions
+        // Object.keys(classLevelPermissions).forEach((key) => {
+        //   const perm = classLevelPermissions[key];
+        //   Object.keys(perm).forEach((key) => {
+        //     if (key.indexOf('role'))
+        //   });
+        // })
+        // // it's rejected here, check the roles
+        // var rolesQuery = new Parse.Query(Parse.Role);
+        // rolesQuery.equalTo("users", user);
+        // return rolesQuery.find({useMasterKey:true});
+      });
+    })
+  }
+
+  _getCLPOperation(query: any) {
+    return typeof query == 'object'
+      && Object.keys(query).length == 1
+      && typeof query.objectId === 'string' ? 'get' : 'find';
+  }
+
   _matchesACL(acl: any, client: any, requestId: number): any {
     // Return true directly if ACL isn't present, ACL is public read, or client has master key
     if (!acl || acl.getPublicReadAccess() || client.hasMasterKey) {

src/RestWrite.js

@@ -1137,8 +1137,11 @@ RestWrite.prototype.runAfterTrigger = function() {
   const updatedObject = this.buildUpdatedObject(extraData);
   updatedObject._handleSaveResponse(this.response.response, this.response.status || 200);
 
-  // Notifiy LiveQueryServer if possible
-  this.config.liveQueryController.onAfterSave(updatedObject.className, updatedObject, originalObject);
+  this.config.database.loadSchema().then((schemaController) => {
+    // Notifiy LiveQueryServer if possible
+    const perms = schemaController.perms[updatedObject.className];
+    this.config.liveQueryController.onAfterSave(updatedObject.className, updatedObject, originalObject, perms);
+  });
 
   // Run afterSave trigger
   return triggers.maybeRunTrigger(triggers.Types.afterSave, this.auth, updatedObject, originalObject, this.config)

src/rest.js

@@ -81,7 +81,10 @@ function del(config, auth, className, objectId) {
             cacheAdapter.user.del(firstResult.sessionToken);
             inflatedObject = Parse.Object.fromJSON(firstResult);
             // Notify LiveQuery server if possible
-            config.liveQueryController.onAfterDelete(inflatedObject.className, inflatedObject);
+            config.database.loadSchema().then((schemaController) => {
+              const perms = schemaController.perms[inflatedObject.className];
+              config.liveQueryController.onAfterDelete(inflatedObject.className, inflatedObject, perms);
+            });
             return triggers.maybeRunTrigger(triggers.Types.beforeDelete, auth, inflatedObject, null,  config);
           }
           throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND,