fix 2

Author: mtrezza

src/Controllers/DatabaseController.js

@@ -130,19 +130,8 @@ const filterSensitiveData = (
   schema: SchemaController.SchemaController | any,
   className: string,
   protectedFields: null | Array<any>,
-  object: any,
-  query: any = {}
+  object: any
 ) => {
-  if (!isMaster && !Array.isArray(protectedFields)) {
-    protectedFields = new DatabaseController().addProtectedFields(
-      schema,
-      className,
-      query,
-      aclGroup,
-      auth
-    );
-  }
-
   let userId = null;
   if (auth && auth.user) userId = auth.user.id;
 
@@ -1821,6 +1810,7 @@ class DatabaseController {
   }
 
   static _validateQuery: any => void;
+  static filterSensitiveData: (boolean, any[], any, any, any, string, any[], any) => void;
 }
 
 module.exports = DatabaseController;

src/LiveQuery/ParseLiveQueryServer.js

@@ -18,7 +18,7 @@ import {
   toJSONwithObjects,
 } from '../triggers';
 import { getAuthForSessionToken, Auth } from '../Auth';
-import { getCacheController } from '../Controllers';
+import { getCacheController, getDatabaseController } from '../Controllers';
 import LRU from 'lru-cache';
 import UserRouter from '../Routers/UsersRouter';
 import DatabaseController from '../Controllers/DatabaseController';
@@ -567,14 +567,24 @@ class ParseLiveQueryServer {
       if (!obj) {
         return;
       }
+      let protectedFields = classLevelPermissions?.protectedFields || [];
+      if (!client.hasMasterKey && !Array.isArray(protectedFields)) {
+        protectedFields = getDatabaseController(this.config).addProtectedFields(
+          classLevelPermissions,
+          res.object.className,
+          query,
+          aclGroup,
+          clientAuth
+        );
+      }
       return DatabaseController.filterSensitiveData(
         client.hasMasterKey,
         aclGroup,
         clientAuth,
         op,
         classLevelPermissions,
         res.object.className,
-        classLevelPermissions?.protectedFields,
+        protectedFields,
         obj,
         query
       );