parse-server 9.5.2-alpha.6 → 9.5.2-alpha.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/lib/SharedRest.js +6 -1
  2. package/package.json +1 -1
package/lib/SharedRest.js CHANGED
@@ -18,6 +18,11 @@ function enforceRoleSecurity(method, className, auth, config) {
18
18
  throw createSanitizedError(Parse.Error.OPERATION_FORBIDDEN, `Clients aren't allowed to perform the ${method} operation on the ${className} collection.`, config);
19
19
  }
20
20
 
21
+ // _Join tables are internal and must only be modified through relation operations
22
+ if (className.startsWith('_Join:') && !auth.isMaster && !auth.isMaintenance) {
23
+ throw createSanitizedError(Parse.Error.OPERATION_FORBIDDEN, `Clients aren't allowed to perform the ${method} operation on the ${className} collection.`, config);
24
+ }
25
+
21
26
  // readOnly masterKey is not allowed
22
27
  if (auth.isReadOnly && (method === 'delete' || method === 'create' || method === 'update')) {
23
28
  throw createSanitizedError(Parse.Error.OPERATION_FORBIDDEN, `read-only masterKey isn't allowed to perform the ${method} operation.`, config);
@@ -26,4 +31,4 @@ function enforceRoleSecurity(method, className, auth, config) {
26
31
  module.exports = {
27
32
  enforceRoleSecurity
28
33
  };
29
- //# sourceMappingURL=data:application/json;charset=utf-8;base64,eyJ2ZXJzaW9uIjozLCJuYW1lcyI6WyJjbGFzc2VzV2l0aE1hc3Rlck9ubHlBY2Nlc3MiLCJjcmVhdGVTYW5pdGl6ZWRFcnJvciIsInJlcXVpcmUiLCJlbmZvcmNlUm9sZVNlY3VyaXR5IiwibWV0aG9kIiwiY2xhc3NOYW1lIiwiYXV0aCIsImNvbmZpZyIsImlzTWFzdGVyIiwiaXNNYWludGVuYW5jZSIsIlBhcnNlIiwiRXJyb3IiLCJPUEVSQVRJT05fRk9SQklEREVOIiwiaW5kZXhPZiIsImlzUmVhZE9ubHkiLCJtb2R1bGUiLCJleHBvcnRzIl0sInNvdXJjZXMiOlsiLi4vc3JjL1NoYXJlZFJlc3QuanMiXSwic291cmNlc0NvbnRlbnQiOlsiY29uc3QgY2xhc3Nlc1dpdGhNYXN0ZXJPbmx5QWNjZXNzID0gW1xuICAnX0pvYlN0YXR1cycsXG4gICdfUHVzaFN0YXR1cycsXG4gICdfSG9va3MnLFxuICAnX0dsb2JhbENvbmZpZycsXG4gICdfSm9iU2NoZWR1bGUnLFxuICAnX0lkZW1wb3RlbmN5Jyxcbl07XG5jb25zdCB7IGNyZWF0ZVNhbml0aXplZEVycm9yIH0gPSByZXF1aXJlKCcuL0Vycm9yJyk7XG5cbi8vIERpc2FsbG93aW5nIGFjY2VzcyB0byB0aGUgX1JvbGUgY29sbGVjdGlvbiBleGNlcHQgYnkgbWFzdGVyIGtleVxuZnVuY3Rpb24gZW5mb3JjZVJvbGVTZWN1cml0eShtZXRob2QsIGNsYXNzTmFtZSwgYXV0aCwgY29uZmlnKSB7XG4gIGlmIChjbGFzc05hbWUgPT09ICdfSW5zdGFsbGF0aW9uJyAmJiAhYXV0aC5pc01hc3RlciAmJiAhYXV0aC5pc01haW50ZW5hbmNlKSB7XG4gICAgaWYgKG1ldGhvZCA9PT0gJ2RlbGV0ZScgfHwgbWV0aG9kID09PSAnZmluZCcpIHtcbiAgICAgIHRocm93IGNyZWF0ZVNhbml0aXplZEVycm9yKFxuICAgICAgICBQYXJzZS5FcnJvci5PUEVSQVRJT05fRk9SQklEREVOLFxuICAgICAgICBgQ2xpZW50cyBhcmVuJ3QgYWxsb3dlZCB0byBwZXJmb3JtIHRoZSAke21ldGhvZH0gb3BlcmF0aW9uIG9uIHRoZSBpbnN0YWxsYXRpb24gY29sbGVjdGlvbi5gLFxuICAgICAgICBjb25maWdcbiAgICAgICk7XG4gICAgfVxuICB9XG5cbiAgLy9hbGwgdm9sYXRpbGVDbGFzc2VzIGFyZSBtYXN0ZXJLZXkgb25seVxuICBpZiAoXG4gICAgY2xhc3Nlc1dpdGhNYXN0ZXJPbmx5QWNjZXNzLmluZGV4T2YoY2xhc3NOYW1lKSA+PSAwICYmXG4gICAgIWF1dGguaXNNYXN0ZXIgJiZcbiAgICAhYXV0aC5pc01haW50ZW5hbmNlXG4gICkge1xuICAgIHRocm93IGNyZWF0ZVNhbml0aXplZEVycm9yKFxuICAgICAgUGFyc2UuRXJyb3IuT1BFUkFUSU9OX0ZPUkJJRERFTixcbiAgICAgIGBDbGllbnRzIGFyZW4ndCBhbGxvd2VkIHRvIHBlcmZvcm0gdGhlICR7bWV0aG9kfSBvcGVyYXRpb24gb24gdGhlICR7Y2xhc3NOYW1lfSBjb2xsZWN0aW9uLmAsXG4gICAgICBjb25maWdcbiAgICApO1xuICB9XG5cbiAgLy8gcmVhZE9ubHkgbWFzdGVyS2V5IGlzIG5vdCBhbGxvd2VkXG4gIGlmIChhdXRoLmlzUmVhZE9ubHkgJiYgKG1ldGhvZCA9PT0gJ2RlbGV0ZScgfHwgbWV0aG9kID09PSAnY3JlYXRlJyB8fCBtZXRob2QgPT09ICd1cGRhdGUnKSkge1xuICAgIHRocm93IGNyZWF0ZVNhbml0aXplZEVycm9yKFxuICAgICAgUGFyc2UuRXJyb3IuT1BFUkFUSU9OX0ZPUkJJRERFTixcbiAgICAgIGByZWFkLW9ubHkgbWFzdGVyS2V5IGlzbid0IGFsbG93ZWQgdG8gcGVyZm9ybSB0aGUgJHttZXRob2R9IG9wZXJhdGlvbi5gLFxuICAgICAgY29uZmlnXG4gICAgKTtcbiAgfVxufVxuXG5tb2R1bGUuZXhwb3J0cyA9IHtcbiAgZW5mb3JjZVJvbGVTZWN1cml0eSxcbn07XG4iXSwibWFwcGluZ3MiOiI7O0FBQUEsTUFBTUEsMkJBQTJCLEdBQUcsQ0FDbEMsWUFBWSxFQUNaLGFBQWEsRUFDYixRQUFRLEVBQ1IsZUFBZSxFQUNmLGNBQWMsRUFDZCxjQUFjLENBQ2Y7QUFDRCxNQUFNO0VBQUVDO0FBQXFCLENBQUMsR0FBR0MsT0FBTyxDQUFDLFNBQVMsQ0FBQzs7QUFFbkQ7QUFDQSxTQUFTQyxtQkFBbUJBLENBQUNDLE1BQU0sRUFBRUMsU0FBUyxFQUFFQyxJQUFJLEVBQUVDLE1BQU0sRUFBRTtFQUM1RCxJQUFJRixTQUFTLEtBQUssZUFBZSxJQUFJLENBQUNDLElBQUksQ0FBQ0UsUUFBUSxJQUFJLENBQUNGLElBQUksQ0FBQ0csYUFBYSxFQUFFO0lBQzFFLElBQUlMLE1BQU0sS0FBSyxRQUFRLElBQUlBLE1BQU0sS0FBSyxNQUFNLEVBQUU7TUFDNUMsTUFBTUgsb0JBQW9CLENBQ3hCUyxLQUFLLENBQUNDLEtBQUssQ0FBQ0MsbUJBQW1CLEVBQy9CLHlDQUF5Q1IsTUFBTSw0Q0FBNEMsRUFDM0ZHLE1BQ0YsQ0FBQztJQUNIO0VBQ0Y7O0VBRUE7RUFDQSxJQUNFUCwyQkFBMkIsQ0FBQ2EsT0FBTyxDQUFDUixTQUFTLENBQUMsSUFBSSxDQUFDLElBQ25ELENBQUNDLElBQUksQ0FBQ0UsUUFBUSxJQUNkLENBQUNGLElBQUksQ0FBQ0csYUFBYSxFQUNuQjtJQUNBLE1BQU1SLG9CQUFvQixDQUN4QlMsS0FBSyxDQUFDQyxLQUFLLENBQUNDLG1CQUFtQixFQUMvQix5Q0FBeUNSLE1BQU0scUJBQXFCQyxTQUFTLGNBQWMsRUFDM0ZFLE1BQ0YsQ0FBQztFQUNIOztFQUVBO0VBQ0EsSUFBSUQsSUFBSSxDQUFDUSxVQUFVLEtBQUtWLE1BQU0sS0FBSyxRQUFRLElBQUlBLE1BQU0sS0FBSyxRQUFRLElBQUlBLE1BQU0sS0FBSyxRQUFRLENBQUMsRUFBRTtJQUMxRixNQUFNSCxvQkFBb0IsQ0FDeEJTLEtBQUssQ0FBQ0MsS0FBSyxDQUFDQyxtQkFBbUIsRUFDL0Isb0RBQW9EUixNQUFNLGFBQWEsRUFDdkVHLE1BQ0YsQ0FBQztFQUNIO0FBQ0Y7QUFFQVEsTUFBTSxDQUFDQyxPQUFPLEdBQUc7RUFDZmI7QUFDRixDQUFDIiwiaWdub3JlTGlzdCI6W119
34
+ //# sourceMappingURL=data:application/json;charset=utf-8;base64,eyJ2ZXJzaW9uIjozLCJuYW1lcyI6WyJjbGFzc2VzV2l0aE1hc3Rlck9ubHlBY2Nlc3MiLCJjcmVhdGVTYW5pdGl6ZWRFcnJvciIsInJlcXVpcmUiLCJlbmZvcmNlUm9sZVNlY3VyaXR5IiwibWV0aG9kIiwiY2xhc3NOYW1lIiwiYXV0aCIsImNvbmZpZyIsImlzTWFzdGVyIiwiaXNNYWludGVuYW5jZSIsIlBhcnNlIiwiRXJyb3IiLCJPUEVSQVRJT05fRk9SQklEREVOIiwiaW5kZXhPZiIsInN0YXJ0c1dpdGgiLCJpc1JlYWRPbmx5IiwibW9kdWxlIiwiZXhwb3J0cyJdLCJzb3VyY2VzIjpbIi4uL3NyYy9TaGFyZWRSZXN0LmpzIl0sInNvdXJjZXNDb250ZW50IjpbImNvbnN0IGNsYXNzZXNXaXRoTWFzdGVyT25seUFjY2VzcyA9IFtcbiAgJ19Kb2JTdGF0dXMnLFxuICAnX1B1c2hTdGF0dXMnLFxuICAnX0hvb2tzJyxcbiAgJ19HbG9iYWxDb25maWcnLFxuICAnX0pvYlNjaGVkdWxlJyxcbiAgJ19JZGVtcG90ZW5jeScsXG5dO1xuY29uc3QgeyBjcmVhdGVTYW5pdGl6ZWRFcnJvciB9ID0gcmVxdWlyZSgnLi9FcnJvcicpO1xuXG4vLyBEaXNhbGxvd2luZyBhY2Nlc3MgdG8gdGhlIF9Sb2xlIGNvbGxlY3Rpb24gZXhjZXB0IGJ5IG1hc3RlciBrZXlcbmZ1bmN0aW9uIGVuZm9yY2VSb2xlU2VjdXJpdHkobWV0aG9kLCBjbGFzc05hbWUsIGF1dGgsIGNvbmZpZykge1xuICBpZiAoY2xhc3NOYW1lID09PSAnX0luc3RhbGxhdGlvbicgJiYgIWF1dGguaXNNYXN0ZXIgJiYgIWF1dGguaXNNYWludGVuYW5jZSkge1xuICAgIGlmIChtZXRob2QgPT09ICdkZWxldGUnIHx8IG1ldGhvZCA9PT0gJ2ZpbmQnKSB7XG4gICAgICB0aHJvdyBjcmVhdGVTYW5pdGl6ZWRFcnJvcihcbiAgICAgICAgUGFyc2UuRXJyb3IuT1BFUkFUSU9OX0ZPUkJJRERFTixcbiAgICAgICAgYENsaWVudHMgYXJlbid0IGFsbG93ZWQgdG8gcGVyZm9ybSB0aGUgJHttZXRob2R9IG9wZXJhdGlvbiBvbiB0aGUgaW5zdGFsbGF0aW9uIGNvbGxlY3Rpb24uYCxcbiAgICAgICAgY29uZmlnXG4gICAgICApO1xuICAgIH1cbiAgfVxuXG4gIC8vYWxsIHZvbGF0aWxlQ2xhc3NlcyBhcmUgbWFzdGVyS2V5IG9ubHlcbiAgaWYgKFxuICAgIGNsYXNzZXNXaXRoTWFzdGVyT25seUFjY2Vzcy5pbmRleE9mKGNsYXNzTmFtZSkgPj0gMCAmJlxuICAgICFhdXRoLmlzTWFzdGVyICYmXG4gICAgIWF1dGguaXNNYWludGVuYW5jZVxuICApIHtcbiAgICB0aHJvdyBjcmVhdGVTYW5pdGl6ZWRFcnJvcihcbiAgICAgIFBhcnNlLkVycm9yLk9QRVJBVElPTl9GT1JCSURERU4sXG4gICAgICBgQ2xpZW50cyBhcmVuJ3QgYWxsb3dlZCB0byBwZXJmb3JtIHRoZSAke21ldGhvZH0gb3BlcmF0aW9uIG9uIHRoZSAke2NsYXNzTmFtZX0gY29sbGVjdGlvbi5gLFxuICAgICAgY29uZmlnXG4gICAgKTtcbiAgfVxuXG4gIC8vIF9Kb2luIHRhYmxlcyBhcmUgaW50ZXJuYWwgYW5kIG11c3Qgb25seSBiZSBtb2RpZmllZCB0aHJvdWdoIHJlbGF0aW9uIG9wZXJhdGlvbnNcbiAgaWYgKGNsYXNzTmFtZS5zdGFydHNXaXRoKCdfSm9pbjonKSAmJiAhYXV0aC5pc01hc3RlciAmJiAhYXV0aC5pc01haW50ZW5hbmNlKSB7XG4gICAgdGhyb3cgY3JlYXRlU2FuaXRpemVkRXJyb3IoXG4gICAgICBQYXJzZS5FcnJvci5PUEVSQVRJT05fRk9SQklEREVOLFxuICAgICAgYENsaWVudHMgYXJlbid0IGFsbG93ZWQgdG8gcGVyZm9ybSB0aGUgJHttZXRob2R9IG9wZXJhdGlvbiBvbiB0aGUgJHtjbGFzc05hbWV9IGNvbGxlY3Rpb24uYCxcbiAgICAgIGNvbmZpZ1xuICAgICk7XG4gIH1cblxuICAvLyByZWFkT25seSBtYXN0ZXJLZXkgaXMgbm90IGFsbG93ZWRcbiAgaWYgKGF1dGguaXNSZWFkT25seSAmJiAobWV0aG9kID09PSAnZGVsZXRlJyB8fCBtZXRob2QgPT09ICdjcmVhdGUnIHx8IG1ldGhvZCA9PT0gJ3VwZGF0ZScpKSB7XG4gICAgdGhyb3cgY3JlYXRlU2FuaXRpemVkRXJyb3IoXG4gICAgICBQYXJzZS5FcnJvci5PUEVSQVRJT05fRk9SQklEREVOLFxuICAgICAgYHJlYWQtb25seSBtYXN0ZXJLZXkgaXNuJ3QgYWxsb3dlZCB0byBwZXJmb3JtIHRoZSAke21ldGhvZH0gb3BlcmF0aW9uLmAsXG4gICAgICBjb25maWdcbiAgICApO1xuICB9XG59XG5cbm1vZHVsZS5leHBvcnRzID0ge1xuICBlbmZvcmNlUm9sZVNlY3VyaXR5LFxufTtcbiJdLCJtYXBwaW5ncyI6Ijs7QUFBQSxNQUFNQSwyQkFBMkIsR0FBRyxDQUNsQyxZQUFZLEVBQ1osYUFBYSxFQUNiLFFBQVEsRUFDUixlQUFlLEVBQ2YsY0FBYyxFQUNkLGNBQWMsQ0FDZjtBQUNELE1BQU07RUFBRUM7QUFBcUIsQ0FBQyxHQUFHQyxPQUFPLENBQUMsU0FBUyxDQUFDOztBQUVuRDtBQUNBLFNBQVNDLG1CQUFtQkEsQ0FBQ0MsTUFBTSxFQUFFQyxTQUFTLEVBQUVDLElBQUksRUFBRUMsTUFBTSxFQUFFO0VBQzVELElBQUlGLFNBQVMsS0FBSyxlQUFlLElBQUksQ0FBQ0MsSUFBSSxDQUFDRSxRQUFRLElBQUksQ0FBQ0YsSUFBSSxDQUFDRyxhQUFhLEVBQUU7SUFDMUUsSUFBSUwsTUFBTSxLQUFLLFFBQVEsSUFBSUEsTUFBTSxLQUFLLE1BQU0sRUFBRTtNQUM1QyxNQUFNSCxvQkFBb0IsQ0FDeEJTLEtBQUssQ0FBQ0MsS0FBSyxDQUFDQyxtQkFBbUIsRUFDL0IseUNBQXlDUixNQUFNLDRDQUE0QyxFQUMzRkcsTUFDRixDQUFDO0lBQ0g7RUFDRjs7RUFFQTtFQUNBLElBQ0VQLDJCQUEyQixDQUFDYSxPQUFPLENBQUNSLFNBQVMsQ0FBQyxJQUFJLENBQUMsSUFDbkQsQ0FBQ0MsSUFBSSxDQUFDRSxRQUFRLElBQ2QsQ0FBQ0YsSUFBSSxDQUFDRyxhQUFhLEVBQ25CO0lBQ0EsTUFBTVIsb0JBQW9CLENBQ3hCUyxLQUFLLENBQUNDLEtBQUssQ0FBQ0MsbUJBQW1CLEVBQy9CLHlDQUF5Q1IsTUFBTSxxQkFBcUJDLFNBQVMsY0FBYyxFQUMzRkUsTUFDRixDQUFDO0VBQ0g7O0VBRUE7RUFDQSxJQUFJRixTQUFTLENBQUNTLFVBQVUsQ0FBQyxRQUFRLENBQUMsSUFBSSxDQUFDUixJQUFJLENBQUNFLFFBQVEsSUFBSSxDQUFDRixJQUFJLENBQUNHLGFBQWEsRUFBRTtJQUMzRSxNQUFNUixvQkFBb0IsQ0FDeEJTLEtBQUssQ0FBQ0MsS0FBSyxDQUFDQyxtQkFBbUIsRUFDL0IseUNBQXlDUixNQUFNLHFCQUFxQkMsU0FBUyxjQUFjLEVBQzNGRSxNQUNGLENBQUM7RUFDSDs7RUFFQTtFQUNBLElBQUlELElBQUksQ0FBQ1MsVUFBVSxLQUFLWCxNQUFNLEtBQUssUUFBUSxJQUFJQSxNQUFNLEtBQUssUUFBUSxJQUFJQSxNQUFNLEtBQUssUUFBUSxDQUFDLEVBQUU7SUFDMUYsTUFBTUgsb0JBQW9CLENBQ3hCUyxLQUFLLENBQUNDLEtBQUssQ0FBQ0MsbUJBQW1CLEVBQy9CLG9EQUFvRFIsTUFBTSxhQUFhLEVBQ3ZFRyxNQUNGLENBQUM7RUFDSDtBQUNGO0FBRUFTLE1BQU0sQ0FBQ0MsT0FBTyxHQUFHO0VBQ2ZkO0FBQ0YsQ0FBQyIsImlnbm9yZUxpc3QiOltdfQ==
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "parse-server",
3
- "version": "9.5.2-alpha.6",
3
+ "version": "9.5.2-alpha.7",
4
4
  "description": "An express module providing a Parse-compatible API server",
5
5
  "main": "lib/index.js",
6
6
  "repository": {