Do not require addField permissions unless the root field does not exist

Also added a corresponding regression test
parse-community · Apr 25, 2021 · ed6a5d8 · ed6a5d8
1 parent 3638b0e
commit ed6a5d8
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 1 deletion.
diff --git a/spec/Schema.spec.js b/spec/Schema.spec.js
@@ -1367,6 +1367,24 @@ describe('SchemaController', () => {
   });
 });
 
+describe('Class Level Permissions', () => {
+  it('does not require addField for nested modification (#7371)', async () => {
+    const testSchema = new Parse.Schema('test_7371');
+    testSchema.setCLP({
+      create: { ['*']: true },
+      update: { ['*']: true },
+      addField: {},
+    });
+    testSchema.addObject('a');
+    await testSchema.save();
+    const obj = new Parse.Object('test_7371');
+    obj.set('a', { b: 1 });
+    await obj.save();
+    obj.set('a.b', 2);
+    await obj.save();
+  });
+});
+
 describe('Class Level Permissions for requiredAuth', () => {
   beforeEach(() => {
     config = Config.get('test');

diff --git a/src/Controllers/DatabaseController.js b/src/Controllers/DatabaseController.js
@@ -894,7 +894,7 @@ class DatabaseController {
       if (object[field] && object[field].__op && object[field].__op === 'Delete') {
         return false;
       }
-      return schemaFields.indexOf(field) < 0;
+      return schemaFields.indexOf(getRootFieldName(field)) < 0;
     });
     if (newKeys.length > 0) {
       // adds a marker that new field is being adding during update