diff --git a/spec/ParseSession.spec.js b/spec/ParseSession.spec.js index 084f141e08..a85be1a95e 100644 --- a/spec/ParseSession.spec.js +++ b/spec/ParseSession.spec.js @@ -3,6 +3,7 @@ // 'use strict'; +const request = require('../lib/request'); function setupTestUsers() { const user1 = new Parse.User(); @@ -135,4 +136,31 @@ describe('Parse.Session', () => { fail(err); }); }); + + it('cannot edit session with known ID', async () => { + await setupTestUsers(); + const [first, second] = await new Parse.Query(Parse.Session).find({ useMasterKey: true }); + const headers = { + 'X-Parse-Application-Id': 'test', + 'X-Parse-Rest-API-Key': 'rest', + 'X-Parse-Session-Token': second.get('sessionToken'), + 'Content-Type': 'application/json', + }; + const firstUser = first.get('user').id; + const secondUser = second.get('user').id; + const e = await request({ + method: 'PUT', + headers, + url: `http://localhost:8378/1/sessions/${first.id}`, + body: JSON.stringify({ + foo: 'bar', + user: { __type: 'Pointer', className: '_User', objectId: secondUser }, + }), + }).catch(e => e.data); + expect(e.code).toBe(Parse.Error.OBJECT_NOT_FOUND); + expect(e.error).toBe('Object not found.'); + await Parse.Object.fetchAll([first, second], { useMasterKey: true }); + expect(first.get('user').id).toBe(firstUser); + expect(second.get('user').id).toBe(secondUser); + }); }); diff --git a/src/RestWrite.js b/src/RestWrite.js index 31b9c22552..9cb735fa40 100644 --- a/src/RestWrite.js +++ b/src/RestWrite.js @@ -1019,6 +1019,20 @@ RestWrite.prototype.handleSession = function () { } else if (this.data.sessionToken) { throw new Parse.Error(Parse.Error.INVALID_KEY_NAME); } + if (!this.auth.isMaster) { + this.query = { + $and: [ + this.query, + { + user: { + __type: 'Pointer', + className: '_User', + objectId: this.auth.user.id, + }, + }, + ], + }; + } } if (!this.query && !this.auth.isMaster) {