Skip to content

Commit 04b0a59

Browse files
committed
test: Add authenticated non-master delete case and guard rejection assertions
1 parent 5f02b5f commit 04b0a59

1 file changed

Lines changed: 31 additions & 0 deletions

File tree

spec/ParseInstallation.spec.js

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1317,6 +1317,7 @@ describe('Installations', () => {
13171317
url: 'http://localhost:8378/1/installations',
13181318
});
13191319
fail('find should have been rejected');
1320+
return;
13201321
} catch (e) {
13211322
error = e;
13221323
}
@@ -1337,6 +1338,7 @@ describe('Installations', () => {
13371338
url: 'http://localhost:8378/1/installations/' + created.response.objectId,
13381339
});
13391340
fail('delete should have been rejected');
1341+
return;
13401342
} catch (e) {
13411343
error = e;
13421344
}
@@ -1366,12 +1368,41 @@ describe('Installations', () => {
13661368
url: 'http://localhost:8378/1/installations',
13671369
});
13681370
fail('find should have been rejected');
1371+
return;
13691372
} catch (e) {
13701373
error = e;
13711374
}
13721375
expect(error.data.code).toBe(Parse.Error.OPERATION_FORBIDDEN);
13731376
expect(error.data.error).toBe('Permission denied');
13741377
});
1378+
1379+
it('blocks the delete operation for an authenticated non-master user', async () => {
1380+
const user = await Parse.User.signUp('installation-acl-user', 'pass-12345678');
1381+
const created = await rest.create(config, auth.nobody(config), '_Installation', {
1382+
installationId: '12345678-abcd-abcd-abcd-123456789abc',
1383+
deviceType: 'android',
1384+
});
1385+
let error;
1386+
try {
1387+
await request({
1388+
method: 'DELETE',
1389+
headers: {
1390+
...anonymousHeaders,
1391+
'X-Parse-Session-Token': user.getSessionToken(),
1392+
},
1393+
url: 'http://localhost:8378/1/installations/' + created.response.objectId,
1394+
});
1395+
fail('delete should have been rejected');
1396+
return;
1397+
} catch (e) {
1398+
error = e;
1399+
}
1400+
expect(error.data.code).toBe(Parse.Error.OPERATION_FORBIDDEN);
1401+
expect(error.data.error).toBe('Permission denied');
1402+
// The row is still present: the authenticated non-master delete did not take effect.
1403+
const remaining = await new Parse.Query(Parse.Installation).count({ useMasterKey: true });
1404+
expect(remaining).toBe(1);
1405+
});
13751406
});
13761407

13771408
describe('deviceToken deduplication on new install (no installationId match)', () => {

0 commit comments

Comments
 (0)