(method, className, auth, config)
| 12 | |
| 13 | // Disallowing access to the _Role collection except by master key |
| 14 | function enforceRoleSecurity(method, className, auth, config) { |
| 15 | if (className === '_Installation' && !auth.isMaster && !auth.isMaintenance) { |
| 16 | if (method === 'delete' || method === 'find') { |
| 17 | throw createSanitizedError( |
| 18 | Parse.Error.OPERATION_FORBIDDEN, |
| 19 | `Clients aren't allowed to perform the ${method} operation on the installation collection.`, |
| 20 | config |
| 21 | ); |
| 22 | } |
| 23 | } |
| 24 | |
| 25 | //all volatileClasses are masterKey only |
| 26 | if ( |
| 27 | classesWithMasterOnlyAccess.indexOf(className) >= 0 && |
| 28 | !auth.isMaster && |
| 29 | !auth.isMaintenance |
| 30 | ) { |
| 31 | throw createSanitizedError( |
| 32 | Parse.Error.OPERATION_FORBIDDEN, |
| 33 | `Clients aren't allowed to perform the ${method} operation on the ${className} collection.`, |
| 34 | config |
| 35 | ); |
| 36 | } |
| 37 | |
| 38 | // _Join tables are internal and must only be modified through relation operations |
| 39 | if (className.startsWith('_Join:') && !auth.isMaster && !auth.isMaintenance) { |
| 40 | throw createSanitizedError( |
| 41 | Parse.Error.OPERATION_FORBIDDEN, |
| 42 | `Clients aren't allowed to perform the ${method} operation on the ${className} collection.`, |
| 43 | config |
| 44 | ); |
| 45 | } |
| 46 | |
| 47 | // readOnly masterKey is not allowed |
| 48 | if (auth.isReadOnly && (method === 'delete' || method === 'create' || method === 'update')) { |
| 49 | throw createSanitizedError( |
| 50 | Parse.Error.OPERATION_FORBIDDEN, |
| 51 | `read-only masterKey isn't allowed to perform the ${method} operation.`, |
| 52 | config |
| 53 | ); |
| 54 | } |
| 55 | } |
| 56 | |
| 57 | module.exports = { |
| 58 | enforceRoleSecurity, |
no test coverage detected