Description
Please read the following instructions carefully.
Make sure these boxes are checked before submitting your issue -- thanks for reporting issues back to Parse Server!
- [X ] You've met the prerequisites: https://github.com/ParsePlatform/parse-server/wiki/Parse-Server-Guide#prerequisites.
- [X ] You're running the latest version of Parse Server: https://github.com/ParsePlatform/parse-server/releases
- [ X] You've searched through existing issues: https://github.com/ParsePlatform/Parse-Server/issues?utf8=%E2%9C%93&q=is%3Aissue Chances are that your issue has been reported or resolved before.
- [ X] You have filled out every section below. Issues without sufficient information are more likely to be closed.
Issue Description
I currently have the following code which was migrated from and currently works without a problem on Parse.com
var Truck = Parse.Object.extend("Truck");
var truckObject = new Truck();
truckObject.id = requestParams.truckId;
query.equalTo("truck", truckObject);
query.include('vendor', 'truck', 'overrideMenu');
query.limit(1000);
return query.find()
.then(function(scheduleResults){});
The query.find() call fails with the following exception
{"message":"Permission denied for this action.","code":119}
When trouble shooting this issues I noticed that if I remove VENDOR from the INCLUDE function then everything works fine. The VENDOR field is a pointer to a record in the collection called vendor .
The CLP for collection vendor is as follows:
I noticed that when I check the box for FIND permission on the CLP the error goes away. However I feel that this behavior is incorrect since it is a direct pointer load and should be treated as a GET read rather then a FIND read.
Also passing in useMasterKey also fixes the issue and while in this case it is an acceptable work around I believe the core behavior is wrong when using an include function to load pointer objects with a CLP of GET = false
Steps to reproduce
Please include a detailed list of steps that reproduce the issue. Include curl commands when applicable.
- Create a collection object called collection1 with a pointer field to collection2
- Uncheck the GET permission on the CLP of collection 2
- Run a QUERY on collection1 and include a call to the include function so that the full row of collection2 is loaded as well.
The call will fail with a permission error.
Expected Results
Since I assume that the include does a GET I don't see why the query would fail. My assumption is the the collection2 pointer field would load successfully
{"message":"Permission denied for this action.","code":119}
[FILL THIS OUT]
Environment Setup
- Server
- parse-server version: 2.15.5
- Operating System: Mac OS X (nodeJS running locally)
- Hardware: Macbook Air
- Localhost or remote server? local
- Database
- MongoDB version: [3.1.0-1.5
- Storage engine: Dont know
- Hardware: AWS
- Localhost or remote server? Remote server running on AWS
Logs/Trace
You can turn on additional logging by configuring VERBOSE=1 in your environment.
[FILL THIS OUT]