Search code examples
parse-server

User with Role "Admin" cannot fetch public records

I have a class Room that have class level ACL public read/write. Each record then have then a record level ACL with <owner-user-id> r/w and role:Admin r/w.

It happens that the User with role admin can only read "some" of the Room even if all of them have indentic ACL (only user id change) and he cannot read "public records".

Strange fact: if I query the Room class without any sessionToken I see the public records but if I use the session token of the role:Admin user I cannot see them.

I have the same problem with the REST API and from the Javascript Client API.

How is this possible? I'm missing some configurations?

Here an example of room that "role:Admin users" cannot read (from mongodb): 

{
    "_id" : "MZoIBY3zuo",
    "xxx" : [],
    "_p_home" : "Home$xxxxx",
    "roomName" : "xxxxx",
    "area" : null,
    "height" : x,
    "windows" : x,
    "tempMin" : x,
    "tempMax" : x,
    "_wperm" : [
        "CpcI4SOzE4",
        "role:Admin",
        "*"
    ],
    "_rperm" : [
        "CpcI4SOzE4",
        "role:Admin",
        "*"
    ],
    "_acl" : {
        "CpcI4SOzE4" : {
            "w" : true,
            "r" : true
        },
        "role:Admin" : {
            "w" : true,
            "r" : true
        },
        "*" : {
            "w" : true,
            "r" : true
        }
    },
    "_created_at" : ISODate("2018-10-31T14:02:32.791Z"),
    "_updated_at" : ISODate("2018-11-04T11:23:19.683Z")
}
{
    "_id" : "BziFbnP1Ny",
    "xxx" : [],
    "_p_home" : "Home$pbqrrk1JVo",
    "roomName" : "xxx2",
    "area" : null,
    "height" : 3,
    "windows" : 2,
    "tempMin" : 20,
    "tempMax" : 23,
    "_wperm" : [
        "CpcI4SOzE4",
        "role:Admin"
    ],
    "_rperm" : [
        "CpcI4SOzE4",
        "role:Admin"
    ],
    "_acl" : {
        "CpcI4SOzE4" : {
            "w" : true,
            "r" : true
        },
        "role:Admin" : {
            "w" : true,
            "r" : true
        }
    },
    "_created_at" : ISODate("2018-10-31T14:02:00.180Z"),
    "_updated_at" : ISODate("2018-11-01T01:08:53.643Z")
}

Here a Room that "role:Admin users" can read:

{
    "_id" : "pCzvLPWbYD",
    "_p_home" : "Home$sYX5pMvUfe",
    "roomName" : "xxx3",
    "area" : null,
    "height" : 3,
    "windows" : 4,
    "tempMin" : 21,
    "tempMax" : 23,
    "_wperm" : [
        "TgNwD80kcR",
        "role:Admin"
    ],
    "_rperm" : [
        "TgNwD80kcR",
        "role:Admin"
    ],
    "_acl" : {
        "TgNwD80kcR" : {
            "w" : true,
            "r" : true
        },
        "role:Admin" : {
            "w" : true,
            "r" : true
        }
    },
    "_created_at" : ISODate("2018-10-12T15:09:55.244Z"),
    "_updated_at" : ISODate("2018-11-04T10:43:57.607Z"),
    "xxx" : [],
    "xxxx" : {}
}

Roles

> db.getCollection('_Role').find()
{ "_id" : "Y0Y3xg3Tij", "_rperm" : [ "role:Redactor" ], "_wperm" : [ ], "_acl" : { "role:Redactor" : { "r" : true } }, "name" : "Redactor", "_updated_at" : ISODate("2017-12-01T09:05:59.306Z"), "_created_at" : ISODate("2016-10-17T16:07:27.186Z") }
{ "_id" : "CGuF9CgXjs", "name" : "Admin", "_wperm" : [ ], "_rperm" : [ "role:Admin" ], "_acl" : { "role:Admin" : { "r" : true } }, "_created_at" : ISODate("2017-12-01T09:05:07.986Z"), "_updated_at" : ISODate("2017-12-01T09:07:25.473Z") }

User linked to Roles:

> db.getCollection('_Join:users:_Role').find()
{ "_id" : ObjectId("5a211bcdbd15be8e7457a263"), "owningId" : "CGuF9CgXjs", "relatedId" : "yHhVd7yybE" }
{ "_id" : ObjectId("5a211bcdbd15be8e7457a264"), "owningId" : "CGuF9CgXjs", "relatedId" : "OAhrAzI7HV" }

Admin user:

> db.getCollection('_User').find({username: 'XXX'})
{ "_id" : "yHhVd7yybE", "utcTime" : ISODate("2017-09-16T09:45:23.225Z"), "username" : "XXX", "email" : "xxxx", "_hashed_password" : "xxxxxxx", "_wperm" : [ "yHhVd7yybE" ], "_rperm" : [ "*", "yHhVd7yybE" ], "_acl" : { "yHhVd7yybE" : { "w" : true, "r" : true }, "*" : { "r" : true } }, "_created_at" : ISODate("2017-09-16T09:41:16.941Z"), "_updated_at" : ISODate("2018-09-28T21:41:31.740Z"), "_p_linkedHome" : "Home$R0H3ObzmMC", "location" : "Zurich" }

Room schema: 

{
    "_id" : "Room",
    "objectId" : "string",
    "updatedAt" : "string",
    "createdAt" : "string",
    "roomName" : "string",
    "tempMin" : "number",
    "tempMax" : "number",
    "area" : "number",
    "height" : "number",
    "windows" : "number",
    "home" : "*Home",
    "data" : "array",
    "xxxxx" : "array",
    "xxx" : "array",
    "_metadata" : {
        "class_permissions" : {
            "get" : {
                "*" : true,
                "role:Admin" : true
            },
            "find" : {
                "*" : true,
                "role:Admin" : true
            },
            "create" : {
                "*" : true,
                "role:Admin" : true
            },
            "update" : {
                "*" : true,
                "role:Admin" : true
            },
            "delete" : {
                "*" : true,
                "role:Admin" : true
            },
            "addField" : {
                "*" : true,
                "role:Admin" : true
            }
        },
        "indexes" : {
            "_id_" : {
                "_id" : 1
            }
        }
    },
    "xxxx" : "object"
}
Solution

  • I my god I found the issue. Actually I was not setting the limit on the query correctly on both client and REST API so it was returning the 100 most recent rooms and the public ones was of course the last created. Very stupid error :(