MCPcopy
hub / github.com/parse-community/parse-server / enforceRoleSecurity

Function enforceRoleSecurity

src/SharedRest.js:14–55  ·  view source on GitHub ↗
(method, className, auth, config)

Source from the content-addressed store, hash-verified

12
13// Disallowing access to the _Role collection except by master key
14function enforceRoleSecurity(method, className, auth, config) {
15 if (className === '_Installation' && !auth.isMaster && !auth.isMaintenance) {
16 if (method === 'delete' || method === 'find') {
17 throw createSanitizedError(
18 Parse.Error.OPERATION_FORBIDDEN,
19 `Clients aren't allowed to perform the ${method} operation on the installation collection.`,
20 config
21 );
22 }
23 }
24
25 //all volatileClasses are masterKey only
26 if (
27 classesWithMasterOnlyAccess.indexOf(className) >= 0 &&
28 !auth.isMaster &&
29 !auth.isMaintenance
30 ) {
31 throw createSanitizedError(
32 Parse.Error.OPERATION_FORBIDDEN,
33 `Clients aren't allowed to perform the ${method} operation on the ${className} collection.`,
34 config
35 );
36 }
37
38 // _Join tables are internal and must only be modified through relation operations
39 if (className.startsWith('_Join:') && !auth.isMaster && !auth.isMaintenance) {
40 throw createSanitizedError(
41 Parse.Error.OPERATION_FORBIDDEN,
42 `Clients aren't allowed to perform the ${method} operation on the ${className} collection.`,
43 config
44 );
45 }
46
47 // readOnly masterKey is not allowed
48 if (auth.isReadOnly && (method === 'delete' || method === 'create' || method === 'update')) {
49 throw createSanitizedError(
50 Parse.Error.OPERATION_FORBIDDEN,
51 `read-only masterKey isn't allowed to perform the ${method} operation.`,
52 config
53 );
54 }
55}
56
57module.exports = {
58 enforceRoleSecurity,

Callers 7

findFunction · 0.85
getFunction · 0.85
delFunction · 0.85
createFunction · 0.85
updateFunction · 0.85
RestQueryFunction · 0.85
RestQuery.jsFile · 0.85

Calls 1

createSanitizedErrorFunction · 0.85

Tested by

no test coverage detected