parse-server icon indicating copy to clipboard operation
parse-server copied to clipboard

Published 20 hours ago verified publisher icon parse-community

LiveQuery roles, poiner permissions are misssing

Open nangyal opened this issue 6 years ago • 10 comments
trafficstars

Is your feature request related to a problem? Please describe. The LiveQuery Permission management not handle roles and poiner permissions

Describe the solution you'd like

Describe alternatives you've considered

Additional context https://github.com/parse-community/parse-server/blob/2e0940c996516692ff9ac8497bcb7181c9fe72a9/src/LiveQuery/ParseLiveQueryServer.js#L481

nangyal avatar Jul 22 '19 20:07 nangyal

@nangyal thanks for reporting. Would you be willed to tackle this one?

davimacedo avatar Jul 22 '19 21:07 davimacedo

Commented this in #5393 as well which I think has a better description of what is going wrong.

We are having an issue with this and @ridem in #5393 has made a perfect analysis of what is wrong. Would be fun to make a PR on how to fix it but I am not sure how, I believe it could be quite tricky.

Why it is important to fix:

  • When adding a user to a role it might take up to an hour before the cache is reset and live queries work again
  • when removing a user from a role she might have access to data which she should not have access to which is a bit of a security issue

I made a small workaround it is not optimal but as long as we have the liveQueryServer and the parseServer on the same server it will work:

  • create the server as usual const liveQueryServer = ParseServer.createLiveQueryServer(httpServer)
  • In _Role add the following to beforeSave liveQueryServer.authCache.reset()

This clears the cache as soon as a role is changed. It could easily be made smarter by fetching the users that belong to that role and only removing or editing those rows in the authCache

mullwaden avatar Nov 06 '19 08:11 mullwaden

Thank you @mullwaden

I've been facing exactly the same issue with roles and fresh added users as described at #5393 I've spent a couple of days investigating the issue, found live query cache, but wasn't sure how to configure or reset it

You solution helped, I'll use it for now. I hope the final fix will be more efficient

qwertyway avatar Dec 24 '19 07:12 qwertyway

Is this in relation to an LQ event won't be fired if the related Role is updated? Or is this something else?

E.g, if

role.getUsers().add(user);
await role.save();

Is called, related LQ objects with the role should fire an enter or leave event.

dblythy avatar Mar 16 '21 00:03 dblythy

@dblythy the issue is that the cache can be outdated. So lets say a user is added to a role with RoleX and then tries to fetch a database row with the acl = { read: RoleX }. Regular fetching will work, but the live updates will fail because the liveQuery cache is outdated, i.e. the user has not yet been added to the cache of that particular role.

mullwaden avatar Mar 16 '21 08:03 mullwaden

2 years past and still not fixed :)

nangyal avatar Jul 26 '21 23:07 nangyal

@nangyal Have you tried putting the LQ trigger on the role class?

dblythy avatar Jul 27 '21 02:07 dblythy

No, I solved it a different way [redacted]

nangyal avatar Oct 25 '21 10:10 nangyal

I note the code snippet referenced refers to the _matchesCLP function, so are you saying that if you have roles in CLP Parse Live Query doesn't correctly handle it?

It's a little vague for what the issue actually is - and LiveQuery (to my testing) does support role based ACLs.

@mullwaden I have reopened #5393 as I have been able to replicate the issue of role cache not updating when getUsers.add(user) is called.

dblythy avatar Jun 07 '22 04:06 dblythy

@nangyal I redacted your comment, as it referred to a potential vulnerability. We have opened an internal issue for further investigation. If you have any questions please reach out.

mtrezza avatar Jun 07 '22 07:06 mtrezza