Merge branch 'alpha' into role-beforeSave

Author: mtrezza

.github/pull_request_template.md

@@ -11,7 +11,7 @@
 ### Issue Description
 <!-- Add a brief description of the issue this PR solves. -->
 
-Related issue: FILL_THIS_OUT
+Closes: FILL_THIS_OUT
 
 ### Approach
 <!-- Add a description of the approach in this PR. -->
@@ -26,4 +26,3 @@ Related issue: FILL_THIS_OUT
 - [ ] Add changes to documentation (guides, repository pages, in-code descriptions)
 - [ ] Add [security check](https://github.com/parse-community/parse-server/blob/master/CONTRIBUTING.md#security-checks)
 - [ ] Add new Parse Error codes to Parse JS SDK <!-- no hard-coded error codes in Parse Server -->
-- [x] A changelog entry is created automatically using the pull request title (do not manually add a changelog entry)

DEPRECATIONS.md

@@ -6,7 +6,7 @@ The following is a list of deprecations, according to the [Deprecation Policy](h
 |--------|-------------------------------------------------|----------------------------------------------------------------------|---------------------------------|---------------------------------|-----------------------|-------|
 | DEPPS1 | Native MongoDB syntax in aggregation pipeline   | [#7338](https://github.com/parse-community/parse-server/issues/7338) | 5.0.0 (2022)                    | 6.0.0 (2023)                    | deprecated            | -     |
 | DEPPS2 | Config option `directAccess` defaults to `true` | [#6636](https://github.com/parse-community/parse-server/pull/6636)   | 5.0.0 (2022)                    | 6.0.0 (2023)                    | removed            | -     |
-| DEPPS3 | Config option `enforcePrivateUsers` defaults to `true` | [#7319](https://github.com/parse-community/parse-server/pull/7319)   | 5.0.0 (2022)                    | 6.0.0 (2023)                    | deprecated            | -     |
+| DEPPS3 | Config option `enforcePrivateUsers` defaults to `true` | [#7319](https://github.com/parse-community/parse-server/pull/7319)   | 5.0.0 (2022)                    | 6.0.0 (2023)                    | removed            | -     |
 | DEPPS4 | Remove convenience method for http request `Parse.Cloud.httpRequest` | [#7589](https://github.com/parse-community/parse-server/pull/7589)   | 5.0.0 (2022)                    | 6.0.0 (2023)                    | removed            | -     |
 | DEPPS5 | Config option `allowClientClassCreation` defaults to `false` | [#7925](https://github.com/parse-community/parse-server/pull/7925)   | 5.3.0 (2022)                    | 7.0.0 (2024)                    | deprecated            | -     |
 | DEPPS6 | Auth providers disabled by default | [#7953](https://github.com/parse-community/parse-server/pull/7953)   | 5.3.0 (2022)                    | 7.0.0 (2024)                    | deprecated            | -     |

changelogs/CHANGELOG_alpha.md

@@ -1,3 +1,15 @@
+# [6.0.0-alpha.9](https://github.com/parse-community/parse-server/compare/6.0.0-alpha.8...6.0.0-alpha.9) (2022-11-16)
+
+
+### Features
+
+* Remove deprecation `DEPPS3`: Config option `enforcePrivateUsers` defaults to `true` ([#8283](https://github.com/parse-community/parse-server/issues/8283)) ([ed499e3](https://github.com/parse-community/parse-server/commit/ed499e32a21bab9a874a9e5367dc71248ce836c4))
+
+
+### BREAKING CHANGES
+
+* The Parse Server option `enforcePrivateUsers` is set to `true` by default; in previous releases this option defaults to `false`; this change improves the default security configuration of Parse Server (#8283) ([ed499e3](ed499e3))
+
 # [6.0.0-alpha.8](https://github.com/parse-community/parse-server/compare/6.0.0-alpha.7...6.0.0-alpha.8) (2022-11-11)
 
 

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "parse-server",
-  "version": "6.0.0-alpha.8",
+  "version": "6.0.0-alpha.9",
   "description": "An express module providing a Parse-compatible API server",
   "main": "lib/index.js",
   "repository": {

package.json

@@ -292,30 +292,37 @@ describe('ParseGraphQLServer', () => {
     let objects = [];
 
     async function prepareData() {
+      const acl = new Parse.ACL();
+      acl.setPublicReadAccess(true);
       user1 = new Parse.User();
       user1.setUsername('user1');
       user1.setPassword('user1');
       user1.setEmail('[email protected]');
+      user1.setACL(acl);
       await user1.signUp();
 
       user2 = new Parse.User();
       user2.setUsername('user2');
       user2.setPassword('user2');
+      user2.setACL(acl);
       await user2.signUp();
 
       user3 = new Parse.User();
       user3.setUsername('user3');
       user3.setPassword('user3');
+      user3.setACL(acl);
       await user3.signUp();
 
       user4 = new Parse.User();
       user4.setUsername('user4');
       user4.setPassword('user4');
+      user4.setACL(acl);
       await user4.signUp();
 
       user5 = new Parse.User();
       user5.setUsername('user5');
       user5.setPassword('user5');
+      user5.setACL(acl);
       await user5.signUp();
 
       const roleACL = new Parse.ACL();
@@ -7066,6 +7073,11 @@ describe('ParseGraphQLServer', () => {
                 },
               },
             },
+            context: {
+              headers: {
+                'X-Parse-Master-Key': 'test',
+              },
+            },
           });
 
           expect(result.data.createUser.clientMutationId).toEqual(clientMutationId);
@@ -7123,6 +7135,7 @@ describe('ParseGraphQLServer', () => {
                       username: 'user2',
                       password: 'user2',
                       someField: 'someValue2',
+                      ACL: { public: { read: true, write: true } },
                     },
                   },
                   someField: 'someValue',
@@ -7195,6 +7208,7 @@ describe('ParseGraphQLServer', () => {
                       username: 'user2',
                       password: 'user2',
                       someField: 'someValue2',
+                      ACL: { public: { read: true, write: true } },
                     },
                   },
                 },
@@ -8308,19 +8322,21 @@ describe('ParseGraphQLServer', () => {
           const someClass = new Parse.Object('SomeClass');
           await someClass.save();
 
+          const roleACL = new Parse.ACL();
+          roleACL.setPublicReadAccess(true);
+
           const user = new Parse.User();
           user.set('username', 'username');
           user.set('password', 'password');
+          user.setACL(roleACL);
           await user.signUp();
 
           const user2 = new Parse.User();
           user2.set('username', 'username2');
           user2.set('password', 'password2');
+          user2.setACL(roleACL);
           await user2.signUp();
 
-          const roleACL = new Parse.ACL();
-          roleACL.setPublicReadAccess(true);
-
           const role = new Parse.Role('aRole', roleACL);
           await role.save();
 
@@ -10597,6 +10613,9 @@ describe('ParseGraphQLServer', () => {
           const user = new Parse.User();
           user.setUsername('user1');
           user.setPassword('user1');
+          const acl = new Parse.ACL();
+          acl.setPublicReadAccess(true);
+          user.setACL(acl);
           await user.signUp();
 
           await parseGraphQLServer.parseGraphQLSchema.schemaCache.clear();

spec/ParseGraphQLServer.spec.js

@@ -1076,6 +1076,9 @@ describe('ParseLiveQuery', function () {
     user.setUsername('username');
     user.setPassword('password');
     user.set('foo', 'bar');
+    const acl = new Parse.ACL();
+    acl.setPublicReadAccess(true);
+    user.setACL(acl);
 
     const query = new Parse.Query(Parse.User);
     query.equalTo('foo', 'bar');

spec/ParseLiveQuery.spec.js

@@ -6,6 +6,8 @@
 const request = require('../lib/request');
 
 function setupTestUsers() {
+  const acl = new Parse.ACL();
+  acl.setPublicReadAccess(true);
   const user1 = new Parse.User();
   const user2 = new Parse.User();
   const user3 = new Parse.User();
@@ -18,6 +20,10 @@ function setupTestUsers() {
   user2.set('password', 'password');
   user3.set('password', 'password');
 
+  user1.setACL(acl);
+  user2.setACL(acl);
+  user3.setACL(acl);
+
   return user1
     .signUp()
     .then(() => {

spec/ParseSession.spec.js

@@ -196,14 +196,13 @@ describe('Parse.User testing', () => {
     const ACL = user.getACL();
     expect(ACL.getReadAccess(user)).toBe(true);
     expect(ACL.getWriteAccess(user)).toBe(true);
-    expect(ACL.getPublicReadAccess()).toBe(true);
+    expect(ACL.getPublicReadAccess()).toBe(false);
     expect(ACL.getPublicWriteAccess()).toBe(false);
     const perms = ACL.permissionsById;
-    expect(Object.keys(perms).length).toBe(2);
+    expect(Object.keys(perms).length).toBe(1);
     expect(perms[user.id].read).toBe(true);
     expect(perms[user.id].write).toBe(true);
-    expect(perms['*'].read).toBe(true);
-    expect(perms['*'].write).not.toBe(true);
+    expect(perms['*']).toBeUndefined();
     done();
   });
 
@@ -875,8 +874,8 @@ describe('Parse.User testing', () => {
     kevin.set('password', 'mypass');
     await kevin.signUp();
     const query = new Parse.Query(Parse.User);
-    const count = await query.count();
-    equal(count, 2);
+    const count = await query.find({ useMasterKey: true });
+    equal(count.length, 2);
     done();
   });
 
@@ -2153,7 +2152,15 @@ describe('Parse.User testing', () => {
   });
 
   it("querying for users doesn't get session tokens", done => {
-    Parse.User.signUp('finn', 'human', { foo: 'bar' })
+    const user = new Parse.User();
+    user.set('username', 'finn');
+    user.set('password', 'human');
+    user.set('foo', 'bar');
+    const acl = new Parse.ACL();
+    acl.setPublicReadAccess(true);
+    user.setACL(acl);
+    user
+      .signUp()
       .then(function () {
         return Parse.User.logOut();
       })
@@ -2162,6 +2169,9 @@ describe('Parse.User testing', () => {
         user.set('username', 'jake');
         user.set('password', 'dog');
         user.set('foo', 'baz');
+        const acl = new Parse.ACL();
+        acl.setPublicReadAccess(true);
+        user.setACL(acl);
         return user.signUp();
       })
       .then(function () {
@@ -2188,7 +2198,14 @@ describe('Parse.User testing', () => {
   });
 
   it('querying for users only gets the expected fields', done => {
-    Parse.User.signUp('finn', 'human', { foo: 'bar' }).then(() => {
+    const user = new Parse.User();
+    user.setUsername('finn');
+    user.setPassword('human');
+    user.set('foo', 'bar');
+    const acl = new Parse.ACL();
+    acl.setPublicReadAccess(true);
+    user.setACL(acl);
+    user.signUp().then(() => {
       request({
         headers: {
           'X-Parse-Application-Id': 'test',
@@ -3426,6 +3443,9 @@ describe('Parse.User testing', () => {
       password: 'world',
       email: '[email protected]',
     });
+    const acl = new Parse.ACL();
+    acl.setPublicReadAccess(true);
+    user.setACL(acl);
 
     reconfigureServer({
       appName: 'unused',
@@ -4057,6 +4077,12 @@ describe('Parse.User testing', () => {
       silent: true,
     });
 
+    Parse.Cloud.beforeSave(Parse.User, ({ object }) => {
+      const acl = new Parse.ACL();
+      acl.setPublicReadAccess(true);
+      object.setACL(acl);
+    });
+
     const query = new Parse.Query(Parse.User);
     query.doesNotExist('foo');
     const subscription = await query.subscribe();

spec/ParseUser.spec.js

@@ -13,6 +13,9 @@ describe('ProtectedFields', function () {
     user.setPassword('sekrit');
     user.set('email', '[email protected]');
     user.set('favoriteColor', 'yellow');
+    const acl = new Parse.ACL();
+    acl.setPublicReadAccess(true);
+    user.setACL(acl);
     await user.save();
 
     const fetched = await new Parse.Query(Parse.User).get(user.id);
@@ -35,6 +38,9 @@ describe('ProtectedFields', function () {
       user.set('timeZone', 'America/Los_Angeles');
       user.set('favoriteColor', 'yellow');
       user.set('favoriteFood', 'pizza');
+      const acl = new Parse.ACL();
+      acl.setPublicReadAccess(true);
+      user.setACL(acl);
       await user.save();
 
       const fetched = await new Parse.Query(Parse.User).get(user.id);
@@ -57,6 +63,9 @@ describe('ProtectedFields', function () {
       user.set('timeZone', 'America/Los_Angeles');
       user.set('favoriteColor', 'yellow');
       user.set('favoriteFood', 'pizza');
+      const acl = new Parse.ACL();
+      acl.setPublicReadAccess(true);
+      user.setACL(acl);
       await user.save();
 
       const fetched = await new Parse.Query(Parse.User).get(user.id);
@@ -108,6 +117,9 @@ describe('ProtectedFields', function () {
       user.set('timeZone', 'America/Los_Angeles');
       user.set('favoriteColor', 'yellow');
       user.set('favoriteFood', 'pizza');
+      const acl = new Parse.ACL();
+      acl.setPublicReadAccess(true);
+      user.setACL(acl);
       await user.save();
 
       const objA = await new Parse.Object('ClassA').set('foo', 'zzz').set('bar', 'yyy').save();

spec/ProtectedFields.spec.js

@@ -96,6 +96,7 @@ describe('rest query', () => {
     let user = {
       username: 'aUsername',
       password: 'aPassword',
+      ACL: { '*': { read: true } },
     };
     const activity = {
       type: 'comment',

spec/RestQuery.spec.js

@@ -16,7 +16,9 @@ describe('Personally Identifiable Information', () => {
     await reconfigureServer();
     user = await Parse.User.signUp('tester', 'abc');
     user = await Parse.User.logIn(user.get('username'), 'abc');
-    await user.set('email', EMAIL).set('zip', ZIP).set('ssn', SSN).save();
+    const acl = new Parse.ACL();
+    acl.setPublicReadAccess(true);
+    await user.set('email', EMAIL).set('zip', ZIP).set('ssn', SSN).setACL(acl).save();
     done();
   });
 

spec/UserPII.spec.js

@@ -276,7 +276,7 @@ describe('Custom Pages, Email Verification, Password Reset', () => {
             'Found. Redirecting to http://localhost:8378/1/apps/verify_email_success.html?username=user'
           );
           user
-            .fetch()
+            .fetch({ useMasterKey: true })
             .then(
               () => {
                 expect(user.get('emailVerified')).toEqual(true);

spec/ValidationAndPasswordsReset.spec.js

@@ -16,7 +16,6 @@
  * If there are no deprecations, this must return an empty array.
  */
 module.exports = [
-  { optionKey: 'enforcePrivateUsers', changeNewDefault: 'true' },
   { optionKey: 'allowClientClassCreation', changeNewDefault: 'false' },
   { optionKey: 'allowExpiredAuthDataToken', changeNewDefault: 'false' },
 ];

src/Deprecator/Deprecations.js

@@ -217,7 +217,7 @@ module.exports.ParseServerOptions = {
     env: 'PARSE_SERVER_ENFORCE_PRIVATE_USERS',
     help: 'Set to true if new users should be created without public read and write access.',
     action: parsers.booleanParser,
-    default: false,
+    default: true,
   },
   expireInactiveSessions: {
     env: 'PARSE_SERVER_EXPIRE_INACTIVE_SESSIONS',

src/Options/Definitions.js

@@ -280,7 +280,7 @@ export interface ParseServerOptions {
   :DEFAULT: {} */
   security: ?SecurityOptions;
   /* Set to true if new users should be created without public read and write access.
-  :DEFAULT: false */
+  :DEFAULT: true */
   enforcePrivateUsers: ?boolean;
   /* Allow a user to log in even if the 3rd party authentication token that was used to sign in to their account has expired. If this is set to `false`, then the token will be validated every time the user signs in to their account. This refers to the token that is stored in the `_User.authData` field. Defaults to `true`.
   :DEFAULT: true */