From 551615ff1882a75236e41a410f3e3aa378e8db39 Mon Sep 17 00:00:00 2001 From: Daniel Date: Sun, 5 Jul 2026 17:50:41 +1000 Subject: [PATCH] fix: Name the offending field in the addField permission error Closes #8664 --- spec/schemas.spec.js | 1 + src/Controllers/DatabaseController.js | 2 +- src/Controllers/SchemaController.js | 18 ++++++++++++++---- 3 files changed, 16 insertions(+), 5 deletions(-) diff --git a/spec/schemas.spec.js b/spec/schemas.spec.js index f9f29c733e..7ebcadffa4 100644 --- a/spec/schemas.spec.js +++ b/spec/schemas.spec.js @@ -1847,6 +1847,7 @@ describe('schemas', () => { expect(err.message).toEqual('Permission denied'); expect(err.code).toEqual(Parse.Error.OPERATION_FORBIDDEN); expect(loggerErrorSpy).toHaveBeenCalledWith('Sanitized error:', jasmine.stringContaining('Permission denied for action addField on class AClass')); + expect(loggerErrorSpy).toHaveBeenCalledWith('Sanitized error:', jasmine.stringContaining('field hello')); done(); } ); diff --git a/src/Controllers/DatabaseController.js b/src/Controllers/DatabaseController.js index d598cacac5..52cf392071 100644 --- a/src/Controllers/DatabaseController.js +++ b/src/Controllers/DatabaseController.js @@ -992,7 +992,7 @@ class DatabaseController { runOptions.addsField = true; const action = runOptions.action; - return schema.validatePermission(className, aclGroup, 'addField', action); + return schema.validatePermission(className, aclGroup, 'addField', action, newKeys); } return Promise.resolve(); } diff --git a/src/Controllers/SchemaController.js b/src/Controllers/SchemaController.js index 8ad7352647..09d4dd1b06 100644 --- a/src/Controllers/SchemaController.js +++ b/src/Controllers/SchemaController.js @@ -1387,7 +1387,8 @@ export default class SchemaController { className: string, aclGroup: string[], operation: string, - action?: string + action?: string, + fields?: string[] ) { if (SchemaController.testPermissions(classPermissions, aclGroup, operation)) { return Promise.resolve(); @@ -1451,21 +1452,30 @@ export default class SchemaController { } } + const fieldInfo = + fields && fields.length ? ` for ${fields.length > 1 ? 'fields' : 'field'} ${fields.join(', ')}` : ''; throw createSanitizedError( Parse.Error.OPERATION_FORBIDDEN, - `Permission denied for action ${operation} on class ${className}.`, + `Permission denied for action ${operation} on class ${className}${fieldInfo}.`, config ); } // Validates an operation passes class-level-permissions set in the schema - validatePermission(className: string, aclGroup: string[], operation: string, action?: string) { + validatePermission( + className: string, + aclGroup: string[], + operation: string, + action?: string, + fields?: string[] + ) { return SchemaController.validatePermission( this.getClassLevelPermissions(className), className, aclGroup, operation, - action + action, + fields ); }