Can no longer do setPassword() from cloud code with the master key

[all-iver]

We have an admin interface so CS can set passwords for users who are having trouble setting their own. Unfortunately I can no longer seem to set the password for a user from cloud code using the master key.

Environment Setup

Get a user from cloud code using Parse.Query(Parse.User).get(). ACL is set so that the user can read/write their own data and anyone in the Admin role can read it, but we require the master key to actually change another user's data.

Steps to reproduce

Call user.setPassword("some new password") and attempt to save with useMasterKey: true.

Logs/Trace

error: ParseError { code: 101, message: 'Permission denied for this action.' }

[gfosco]

How are you calling save? The right way would be, user.save(null, { useMasterKey: true });

[all-iver]

I get the error with the following test code, however I am now also getting a permission denied error for Parse.User.signUp which makes me wonder if there's some configuration problem with the schema or something. Logging in works.

Parse.Cloud.define('testSetPasswordForUser', function(request, response) {
    new Parse.Query(Parse.User).get(request.params.userId, {
        useMasterKey: true,
        success: function(user) {
            user.setPassword(request.params.newPassword);
            user.save(null, {
                useMasterKey: true,
                success: response.success, 
                error: function(obj, error) { 
                    response.error(error.message);
                } 
            });
        },
        error: function(obj, error) {
            response.error(error.message);
        }
    });
});

[gfosco]

what error?.. I think you should json encode the object in a response to a cloud function:

Parse.Cloud.define('testSetPasswordForUser', function(request, response) {
  var query = new Parse.Query("_User");
  query.get(request.params.userId, { useMasterKey: true }).then((user) {
    user.setPassword(request.params.newPassword);
    return user.save(null, { useMasterKey: true });
  }).then((user) => {
    response.success(JSON.stringify(user));
  }, (obj, error) => { 
    response.error(error.message);
  });
});

^ Your code updated with promises.

[all-iver]

This may be a separate issue :) But I'm trying to create a user to test the password setting in a clean way and this error is happening. I am on 2.1.6.

Parse.initialize("testapp", "");
Parse.serverURL = 'http://localhost:1337/parse';

Parse.User.signUp("testuser@testdomain.com", "somepass").then(function() {
    console.log('success');
}, function(e) {
    console.log(e);
});

POST /parse/users { host: 'localhost:1337',
  connection: 'keep-alive',
  'content-length': '245',
  'cache-control': 'max-age=0',
  origin: 'null',
  'user-agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36',
  'content-type': 'text/plain',
  accept: '*/*',
  'accept-encoding': 'gzip, deflate',
  'accept-language': 'en-US,en;q=0.8' } {
  "username": "testuser@testdomain.com",
  "password": "somepass"
}
error: ParseError { code: 101, message: 'Permission denied for this action.' }

[gfosco]

Take a look at the _SCHEMA collection, the row for the _User.. It's failing a class level permission, so tell me what is in the _metadata key of that object.

[all-iver]

    "_metadata": {
        "class_permissions": {
            "get": {
                "*": true
            },
            "find": {
                "role:Admin": true
            },
            "update": {
                "*": true
            },
            "create": {
                "*": true
            },
            "delete": {},
            "addField": {},
            "readUserFields": [],
            "writeUserFields": []
        }
    },

[gfosco]

Try adding "*": true temporarily to the addField object.. If that doesn't work, it's unclear which operation is being prohibited, and you should add a log line to node_modules/parse-server/lib/Schema.js in the validatePermission method: console.log(className, aclGroup, operation); and then run through the steps and see where it fails.

[all-iver]

Okay, that did work, and after creating one user I set it back the way it was and it seems happy. It also has fixed the original error with setting a user's password with the master key.

Looking at the schema, it seems to have added these fields to the schema record for _User that weren't there from the initial migration:

    "password": "string",
    "ACL": "object"

I'm pretty sure I've run User.signUp a bunch in the past so I'm guessing those were implicit fields in the past and upgrading to 2.1.6 means they're now explicit in the schema? In any case, thanks for the help!

[gfosco]

Ok, glad it's working.. CLPs are still an area in progress.

[jsuresh]

I think the actual fix here is if we are using the master Key canAddField (in DatabaseController) should always return true. I've created a PR #1294

As for the issue with the password field not being part of the _User object, Shouldn't we explicitly check the defaultColumns as well in Schema.js.