Add enforceMasterKeyAccess middleware.

nlutsenko · nlutsenko · commit 8cac7f577dde · 2016-02-11T22:18:41.000-08:00
diff --git a/spec/ParseFile.spec.js b/spec/ParseFile.spec.js
@@ -101,8 +101,8 @@ describe('Parse.File testing', () => {
       }, (error, response, body) => {
         expect(error).toBe(null);
         var del_b = JSON.parse(body);
-        expect(response.statusCode).toEqual(400);
-        expect(del_b.code).toEqual(119);
+        expect(response.statusCode).toEqual(403);
+        expect(del_b.error).toEqual('unauthorized');
         // incorrect X-Parse-Master-Key header
         request.del({
           headers: {
@@ -114,8 +114,8 @@ describe('Parse.File testing', () => {
         }, (error, response, body) => {
           expect(error).toBe(null);
           var del_b2 = JSON.parse(body);
-          expect(response.statusCode).toEqual(400);
-          expect(del_b2.code).toEqual(119);
+          expect(response.statusCode).toEqual(403);
+          expect(del_b2.error).toEqual('unauthorized');
           done();
         });
       });
diff --git a/src/Controllers/FilesController.js b/src/Controllers/FilesController.js
@@ -76,13 +76,6 @@ export class FilesController {
 
   deleteHandler() {
     return (req, res, next) => {
-      // enforce use of master key for file deletions
-      if(!req.auth.isMaster){
-        next(new Parse.Error(Parse.Error.OPERATION_FORBIDDEN,
-          'Master key required for file deletion.'));
-        return;
-      }
-
       this._filesAdapter.deleteFile(req.config, req.params.filename).then(() => {
         res.status(200);
         // TODO: return useful JSON here?
@@ -142,6 +135,7 @@ export class FilesController {
     router.delete('/files/:filename',
       Middlewares.allowCrossDomain,
       Middlewares.handleParseHeaders,
+      Middlewares.enforceMasterKeyAccess,
       this.deleteHandler()
     );
 
diff --git a/src/middlewares.js b/src/middlewares.js
@@ -178,15 +178,22 @@ var handleParseErrors = function(err, req, res, next) {
   }
 };
 
+function enforceMasterKeyAccess(req, res, next) {
+  if (!req.auth.isMaster) {
+    return invalidRequest(req, res);
+  }
+  next();
+}
+
 function invalidRequest(req, res) {
   res.status(403);
   res.end('{"error":"unauthorized"}');
 }
 
-
 module.exports = {
   allowCrossDomain: allowCrossDomain,
   allowMethodOverride: allowMethodOverride,
   handleParseErrors: handleParseErrors,
-  handleParseHeaders: handleParseHeaders
+  handleParseHeaders: handleParseHeaders,
+  enforceMasterKeyAccess: enforceMasterKeyAccess
 };
