refactor(query): deprecate explain without master key #7521
Conversation
…on warning Added pending tests that ensure non-master users cannot run explain queries Added the change to the CHANGELOG
Codecov Report
@@ Coverage Diff @@
## master #7521 +/- ##
=======================================
Coverage 93.92% 93.92%
=======================================
Files 181 181
Lines 13273 13278 +5
=======================================
+ Hits 12467 12472 +5
Misses 806 806
Continue to review full report at Codecov.
|
mtrezza
changed the title
|
@mstniy Please feel free to request a review once this is ready. |
| @@ -6,6 +6,7 @@ The following is a list of deprecations, according to the [Deprecation Policy](h | |||
| |-------------------------------------------------|----------------------------------------------------------------------|---------------------------------|---------------------------------|-----------------------|-------| | |||
| | Native MongoDB syntax in aggregation pipeline | [#7338](https://github.com/parse-community/parse-server/issues/7338) | 5.0.0 (2022) | 6.0.0 (2023) | deprecated | - | | |||
| | Config option `directAccess` defaults to `true` | [#6636](https://github.com/parse-community/parse-server/pull/6636) | 5.0.0 (2022) | 6.0.0 (2023) | deprecated | - | | |||
| | `explain` queries used by non-master users | [#7519](https://github.com/parse-community/parse-server/issues/7519) | 5.0.0 (2022) | 6.0.0 (2023) | deprecated | - | | |||
There was a problem hiding this comment.
Can you rephrase that as
Execute
explainqueries without masterkey
And can you add an ID for this deprecation, after you merge master into this PR
| @@ -5218,4 +5218,36 @@ describe('Parse.Query testing', () => { | |||
| // Validate | |||
| expect(result.executionStats).not.toBeUndefined(); | |||
| }); | |||
|
|
|||
| xit('users cannot use explain queries', async () => { | |||
There was a problem hiding this comment.
I assume this is in preparation for after the deprecation?
Could you add a short comment above?
Deprecation DEPPS3: enable this test after deprecation
Assuming that DEPPS3 is the ID of this deprecation
| equal(e.message, 'Cannot explain'); | ||
| } | ||
| }).pend('Disabled until non-master explains are disabled'); | ||
| it('the master key can use explain queries', async () => { |
| @@ -108,6 +108,7 @@ ___ | |||
| - Added Deprecation Policy to govern the introduction of breaking changes in a phased pattern that is more predictable for developers (Manuel Trezza) [#7199](https://github.com/parse-community/parse-server/pull/7199) | |||
| - Add REST API endpoint `/loginAs` to create session of any user with master key; allows to impersonate another user. (GormanFletcher) [#7406](https://github.com/parse-community/parse-server/pull/7406) | |||
| - Add official support for MongoDB 5.0 (Manuel Trezza) [#7469](https://github.com/parse-community/parse-server/pull/7469) | |||
| - Deprecated ``explain` queries run by non-master users (Kartal Kaan Bozdogan) [#7519](https://github.com/parse-community/parse-server/issues/7519) | |||
There was a problem hiding this comment.
Can you rephrase this as:
Deprecated executing
explainqueries without masterkey
| @@ -26,6 +27,12 @@ function checkLiveQuery(className, config) { | |||
| // Returns a promise for an object with optional keys 'results' and 'count'. | |||
| function find(config, auth, className, restWhere, restOptions, clientSDK, context) { | |||
| enforceRoleSecurity('find', className, auth); | |||
| if (restOptions && restOptions.explain && !auth.isMaster) { | |||
| //throw new Parse.Error(Parse.Error.OPERATION_FORBIDDEN, 'Cannot explain'); | |||
There was a problem hiding this comment.
Can you also add a comment here please, similar to the one above Deprecation DEPPS3: ...
| @@ -57,6 +64,12 @@ function find(config, auth, className, restWhere, restOptions, clientSDK, contex | |||
| const get = (config, auth, className, objectId, restOptions, clientSDK, context) => { | |||
| var restWhere = { objectId }; | |||
| enforceRoleSecurity('get', className, auth); | |||
| if (restOptions && restOptions.explain && !auth.isMaster) { | |||
| //throw new Parse.Error(Parse.Error.OPERATION_FORBIDDEN, 'Cannot explain'); | |||
| Deprecator.logRuntimeDeprecation({ | |||
There was a problem hiding this comment.
Can you also add a comment here please, similar to the one above Deprecation DEPPS3: ...
|
@mstniy Do you think you could resolve the conflicts so we can prepare this PR for merge? |
New Pull Request Checklist
Issue Description
Currently, any user is able to run a query with the explain parameter and obtain the raw result returned by MongoDB. This discloses too much information to the clients, nor is it of great utility to them.
Related issue: #7519
Approach
rest.js now prints a deprecation warning if a non-master user tries to run an
explainquery. Client-facing behaviour is intact.TODOs before merging