LiveQuery roles, poiner permissions are misssing

[nangyal]

Is your feature request related to a problem? Please describe.
The LiveQuery Permission management not handle
roles and poiner permissions

Describe the solution you'd like

Describe alternatives you've considered

Additional context

parse-server/src/LiveQuery/ParseLiveQueryServer.js

Line 481 in 2e0940c

// TODO: handle roles permissions

[davimacedo]

@nangyal thanks for reporting. Would you be willed to tackle this one?

[mullwaden]

Commented this in #5393 as well which I think has a better description of what is going wrong.

We are having an issue with this and @ridem in #5393 has made a perfect analysis of what is wrong. Would be fun to make a PR on how to fix it but I am not sure how, I believe it could be quite tricky.

Why it is important to fix:

• When adding a user to a role it might take up to an hour before the cache is reset and live queries work again
• when removing a user from a role she might have access to data which she should not have access to which is a bit of a security issue

I made a small workaround it is not optimal but as long as we have the liveQueryServer and the parseServer on the same server it will work:

• create the server as usual const liveQueryServer = ParseServer.createLiveQueryServer(httpServer)
• In _Role add the following to beforeSave liveQueryServer.authCache.reset()

This clears the cache as soon as a role is changed. It could easily be made smarter by fetching the users that belong to that role and only removing or editing those rows in the authCache

[qwertyway]

Thank you @mullwaden

I've been facing exactly the same issue with roles and fresh added users as described at #5393
I've spent a couple of days investigating the issue, found live query cache, but wasn't sure how to configure or reset it

You solution helped, I'll use it for now. I hope the final fix will be more efficient

[dblythy]

Is this in relation to an LQ event won't be fired if the related Role is updated? Or is this something else?

E.g, if

role.getUsers().add(user);
await role.save();

Is called, related LQ objects with the role should fire an enter or leave event.

[mullwaden]

@dblythy the issue is that the cache can be outdated. So lets say a user is added to a role with RoleX and then tries to fetch a database row with the acl = { read: RoleX }. Regular fetching will work, but the live updates will fail because the liveQuery cache is outdated, i.e. the user has not yet been added to the cache of that particular role.

[nangyal]

2 years past and still not fixed :)

[dblythy]

@nangyal Have you tried putting the LQ trigger on the role class?

[nangyal]

No, I solved it a different way [redacted]

[dblythy]

I note the code snippet referenced refers to the _matchesCLP function, so are you saying that if you have roles in CLP Parse Live Query doesn't correctly handle it?

It's a little vague for what the issue actually is - and LiveQuery (to my testing) does support role based ACLs.

@mullwaden I have reopened #5393 as I have been able to replicate the issue of role cache not updating when getUsers.add(user) is called.

[mtrezza]

@nangyal I redacted your comment, as it referred to a potential vulnerability. We have opened an internal issue for further investigation. If you have any questions please reach out.