Skip to content

Commit

Permalink
Add enforceMasterKeyAccess middleware.
Browse files Browse the repository at this point in the history
  • Loading branch information
@nlutsenko
nlutsenko committed Feb 12, 2016
1 parent e6ef0ae commit 8cac7f5
Show file tree
Hide file tree
Showing 3 changed files with 14 additions and 13 deletions.
8 changes: 4 additions & 4 deletions spec/ParseFile.spec.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -101,8 +101,8 @@ describe('Parse.File testing', () => {
}, (error, response, body) => {
expect(error).toBe(null);
var del_b = JSON.parse(body);
expect(response.statusCode).toEqual(400);
expect(del_b.code).toEqual(119);
expect(response.statusCode).toEqual(403);
expect(del_b.error).toEqual('unauthorized');
// incorrect X-Parse-Master-Key header
request.del({
headers: {
Expand All @@ -114,8 +114,8 @@ describe('Parse.File testing', () => {
}, (error, response, body) => {
expect(error).toBe(null);
var del_b2 = JSON.parse(body);
expect(response.statusCode).toEqual(400);
expect(del_b2.code).toEqual(119);
expect(response.statusCode).toEqual(403);
expect(del_b2.error).toEqual('unauthorized');
done();
});
});
Expand Down
8 changes: 1 addition & 7 deletions src/Controllers/FilesController.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -76,13 +76,6 @@ export class FilesController {

deleteHandler() {
return (req, res, next) => {
// enforce use of master key for file deletions
if(!req.auth.isMaster){
next(new Parse.Error(Parse.Error.OPERATION_FORBIDDEN,
'Master key required for file deletion.'));
return;
}

this._filesAdapter.deleteFile(req.config, req.params.filename).then(() => {
res.status(200);
// TODO: return useful JSON here?
Expand Down Expand Up @@ -142,6 +135,7 @@ export class FilesController {
router.delete('/files/:filename',
Middlewares.allowCrossDomain,
Middlewares.handleParseHeaders,
Middlewares.enforceMasterKeyAccess,
this.deleteHandler()
);

Expand Down
11 changes: 9 additions & 2 deletions src/middlewares.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -178,15 +178,22 @@ var handleParseErrors = function(err, req, res, next) {
}
};

function enforceMasterKeyAccess(req, res, next) {
if (!req.auth.isMaster) {
return invalidRequest(req, res);
}
next();
}

function invalidRequest(req, res) {
res.status(403);
res.end('{"error":"unauthorized"}');
}


module.exports = {
allowCrossDomain: allowCrossDomain,
allowMethodOverride: allowMethodOverride,
handleParseErrors: handleParseErrors,
handleParseHeaders: handleParseHeaders
handleParseHeaders: handleParseHeaders,
enforceMasterKeyAccess: enforceMasterKeyAccess
};

0 comments on commit 8cac7f5

Please sign in to comment.