Unexpected behavior on the `exists` method

[codeKonami]

trafficstars

Issue Description

An object exists in the database. You need a sessionToken to access it.

If you use the Parse.Object exists method without sessionToken instead of throwing an error, it resolves with the value false. I think it's quite an unexpected behavior. It's caused by theses lines of code

https://github.com/parse-community/Parse-SDK-JS/blob/f2d76805000488fefce2b0c2e73d8953007f2b1c/src/ParseObject.js#L972-L974

And comes from this discussion : https://github.com/parse-community/Parse-SDK-JS/pull/898#discussion_r316447203

Steps to reproduce

• Create an object in database with limited access
• Try Catch the exits method without any sessionToken

Expected Results

It should throw an error

Actual Outcome

It does not throw, it returns false as if the object do not exist

Test Case

To accurately reproduce your issue. Add your test cases here and read the Contributing Guide to run the tests.

Environment Setup

• Server

  • parse-server version (Be specific! Don't say 'latest'.) : 4.1.0
  • Operating System: MacOS
  • Localhost or remote server? localhost

• JS SDK

  • JS SDK version: [FILL THIS OUT]
  • Application? (Browser, Node, React-Native, etc): [FILL THIS OUT]

Logs/Trace

[parse-github-assistant[bot]]

Thanks for opening this issue!

• ❌ Please edit your post and use the provided template when creating a new issue. This helps everyone to understand your post better and asks for essential information to quicker review the issue.

[davimacedo]

In my opinion, that's the right behavior. If the user does not have access to this object, they should not be able to know if it exists and receiving always false (no matter it exists or not) looks a good solution for me. If we throw an error, the user will know that the object exists. It also looks to me compliant with the other features, such as the count, which does not count the objects to which the user doesn't have access. @dplewis @acinader thoughts?

[dplewis]

@davimacedo I agree that this is expected behavior.

[codeKonami]

I see what you mean. But if you have CLP that requiresAuthentication your approach would not allow to trigger the "authentication error".

[davimacedo]

I guess that's not true. If you check the code here, you will see it throws any error that not ParseError.OBJECT_NOT_FOUND. In the case there is no CLP, a 119 error should come from the server and it should be thrown to the client. If that's not the case that you are observing, do you mind to write a test case?

[davimacedo]

@codeKonami thanks for the PR with the test case. I pulled your branch and played around. I could reproduce the problem, but only with the requiresAuthentication. I mean, if we set no CLP for get or even some role, it works properly, and error code 119 is received. The problem is on Parse Server, though. https://github.com/parse-community/parse-server/blob/6b0efaeffd9fc59002ee87562d0a4105d52d02a3/src/Controllers/SchemaController.js#L1437 and https://github.com/parse-community/parse-server/blob/6b0efaeffd9fc59002ee87562d0a4105d52d02a3/src/Controllers/SchemaController.js#L1442 look wrong for me. We should throw Parse.Error.OPERATION_FORBIDDEN, like in https://github.com/parse-community/parse-server/blob/6b0efaeffd9fc59002ee87562d0a4105d52d02a3/src/Controllers/SchemaController.js#L1483 @dplewis agree?

[mtrezza]

I'll transfer this to Parse Server

[parse-github-assistant[bot]]

Thanks for opening this issue!

• ❌ Please edit your post and use the provided template when creating a new issue. This helps everyone to understand your post better and asks for essential information to quicker review the issue.