Parse-SDK-JS icon indicating copy to clipboard operation
Parse-SDK-JS copied to clipboard
verified publisher icon parse-community

Aggregate query does not honor `sessionToken` option if passed

Open obermillerk opened this issue 4 years ago • 7 comments

New Issue Checklist

Issue Description

Aggregate query does not honor the sessionToken option.

When passing a sessionToken it should only return objects that are readable by the user with that session token. Instead, the ACLs are ignored and all objects are returned.

Specifically, I have a query that is retrieving all objects of a certain class. A non-aggregate query could use the session token to only return objects the user has read permissions for. In the aggregate query, all objects are returned regardless of permissions.

I know that aggregate queries are different from normal queries and it may be impossible for you to support this option, but if that is the case the sessionToken should not be listed as an option for the aggregate function on the docs for Parse.Query (https://parseplatform.org/Parse-SDK-JS/api/master/Parse.Query.html#aggregate).

Steps to reproduce

  • Create a user and create some Parse Objects that the user has exclusive read and write access to in the ACL
  • Create a Cloud function that runs an aggregate query for these Parse Objects and returns all of them
  • Log in as a second user and run the aggregate query

Actual Outcome

The objects owned by the first user are returned as part of the results for the second user's query.

Expected Outcome

The objects owned by the first user should be excluded from the second user's query. Only objects the second user has read access to should be returned.

Environment

Server

  • Parse Server version: 4.5.0
  • Operating system: Windows 10, I think also linux on our deployed server
  • Local or remote host (AWS, Azure, Google Cloud, Heroku, Digital Ocean, etc): local (and deployed)

Database

  • System (MongoDB or Postgres): MongoDB
  • Database version: 4.2.6
  • Local or remote host (MongoDB Atlas, mLab, AWS, Azure, Google Cloud, etc): local (and deployed)

Client

  • Parse JS SDK version: 3.3.0

Logs

obermillerk avatar Aug 12 '21 17:08 obermillerk

While this is theoretically possible, it requires an enormous effort to parse the MongoDB aggregation syntax and interpret it correctly. It essentially requires to replicate the whole MongoDB aggregation parser in Parse Server. Given the versatility of aggregation and implied complexity, I would consider this highly unfeasible. Maybe consider aggregation queries as a form of "direct access" to the database that circumvents any Parse Server checks - and for that matter even most MongoDB Node.js driver checks.

I'm closing this for now, we can always re-open if someone really wants to pick this up and start working on it.

mtrezza avatar Oct 05 '21 13:10 mtrezza

Just FYI maybe worth updating the docs as it says here its possible to use https://parseplatform.org/Parse-SDK-JS/api/master/Parse.Query.html#aggregate

REPTILEHAUS avatar Aug 01 '23 15:08 REPTILEHAUS

Would you want to open an issue or even just a quick PR?

mtrezza avatar Aug 03 '23 06:08 mtrezza

@mtrezza I can indeed, where do i find these docs ? I had a look around and found this repo but dont see anything related to the page i posted above https://github.com/parse-community/docs

Also if i remove the only valid option for aggregate(pipeline, options) should i just remove the options entirely from aggregate ?

REPTILEHAUS avatar Aug 04 '23 07:08 REPTILEHAUS

This is created in the Parse JS SDK API docs, as you can see in the URL, Parse-SDK-JS:

https://parseplatform.org/Parse-SDK-JS/api/master/Parse.Query.html#aggregate

I wonder whether the option should actually be removed. Maybe the docs mean that the session token makes a ParseUser and/or the session token available in a Cloud Code trigger? But not sure if there are any triggers for aggregate queries? If so, we may only need to add a note that ACL / CLP are not applicable to aggregate queries. I think a look into the JS SDK and server code could give more insight here.

mtrezza avatar Aug 04 '23 18:08 mtrezza

Thanks for opening this issue!

  • 🚀 You can help us to fix this issue faster by opening a pull request with a failing test. See our Contribution Guide for how to make a pull request, or read our New Contributor's Guide if this is your first time contributing.

parse-github-assistant[bot] avatar Aug 04 '23 18:08 parse-github-assistant[bot]

Reopened, because the docs need to be adapted.

mtrezza avatar Aug 04 '23 18:08 mtrezza