Skip to content

test: Add _Installation non-master access control regression tests#10578

Merged
mtrezza merged 4 commits into
parse-community:alphafrom
mtrezza:tests/installation-access-control
Jul 14, 2026
Merged

test: Add _Installation non-master access control regression tests#10578
mtrezza merged 4 commits into
parse-community:alphafrom
mtrezza:tests/installation-access-control

Conversation

@mtrezza

@mtrezza mtrezza commented Jul 13, 2026

Copy link
Copy Markdown
Member

Issue

The _Installation access-control contract for non-master clients was only partially covered by tests. enforceRoleSecurity (src/SharedRest.js) blocks the find and delete operations on _Installation for non-master/non-maintenance callers, while intentionally allowing create, update, and get to fall through (push registration happens before a user logs in). There was no explicit regression coverage for the delete block, nor for the fact that find is blocked for authenticated non-master users, not just anonymous ones.

Approach

Add a describe('access control for non-master clients') block in spec/ParseInstallation.spec.js that locks in the contract:

  • find is rejected for an unauthenticated client and for an authenticated non-master user, so installations cannot be enumerated and a row's identifier cannot be discovered.
  • delete is rejected for an unauthenticated client and for an authenticated non-master user, and the row is verified to survive via an exact adapter find (which avoids Postgres estimated-count behavior).

The by-design get/update of one's own installation remains covered by the existing #1718 and #2090 tests referenced in the block.

Tasks

  • Add tests
  • Add changes to documentation (guides, repository pages, code comments)
  • Add security check
  • Add new Parse Error codes to Parse JS SDK

@parse-github-assistant

Copy link
Copy Markdown

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Tip

  • Keep pull requests small. Large PRs will be rejected. Break complex features into smaller, incremental PRs.
  • Use Test Driven Development. Write failing tests before implementing functionality. Ensure tests pass.
  • Group code into logical blocks. Add a short comment before each block to explain its purpose.
  • We offer conceptual guidance. Coding is up to you. PRs must be merge-ready for human review.
  • Our review focuses on concept, not quality. PRs with code issues will be rejected. Use an AI agent.
  • Human review time is precious. Avoid review ping-pong. Inspect and test your AI-generated code.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement. Our CI and AI review are safeguards, not development tools. If many issues are flagged, rethink your development approach. Invest more effort in planning and design rather than using review cycles to fix low-quality code.

@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Added four tests verifying forbidden installation queries and deletions for unauthenticated and authenticated non-master clients, including confirmation that rejected deletions preserve the installation record.

Changes

Installation access control

Layer / File(s) Summary
Non-master authorization tests
spec/ParseInstallation.spec.js
Adds shared anonymous headers and tests forbidden installation find and delete requests for unauthenticated and authenticated non-master clients, confirming denied deletions leave the installation row intact.

Estimated code review effort: 2 (Simple) | ~10 minutes


Caution

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

  • Ignore

❌ Failed checks (1 error)

Check name Status Explanation Resolution
Description check ❌ Error No pull request description was provided, so the required Issue, Approach, and Tasks sections are missing. Add the repository template sections: Issue, Approach, and Tasks, and fill in the required details for the change.
✅ Passed checks (6 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Security Check ✅ Passed Only a spec file changed; it adds negative access-control tests and no production code or risky security pattern.
Engage In Review Feedback ✅ Passed PASS: Feedback was implemented in 04b0a59, and the author replied '@coderabbitai review' afterward. citeturn2view0turn2view3
Title check ✅ Passed The title matches the PR scope and uses an allowed test: prefix with a clear description of the new regression tests.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
spec/ParseInstallation.spec.js (1)

1301-1375: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Coverage gap: no test for authenticated non-master delete.

The suite covers unauthenticated find, unauthenticated delete, and authenticated non-master find — but not authenticated non-master delete. Given the PR's goal is comprehensive non-master installation access-control regression coverage, consider adding a fourth test mirroring "blocks the find operation for an authenticated non-master user" but for the delete endpoint, following the same row-preservation check used in the unauthenticated delete test.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@spec/ParseInstallation.spec.js` around lines 1301 - 1375, Add a test in the
access-control describe block covering DELETE on _Installation for an
authenticated non-master user, mirroring the setup and session-token headers
from “blocks the find operation for an authenticated non-master user.” Assert
the request returns OPERATION_FORBIDDEN with “Permission denied,” then verify
via a master-key query that the installation row remains present.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@spec/ParseInstallation.spec.js`:
- Around line 1307-1325: Update the three rejection tests around the request
try/catch blocks so each fail('... should have been rejected') immediately
returns (or throws), preventing execution from dereferencing an undefined error
when the request unexpectedly succeeds.

---

Nitpick comments:
In `@spec/ParseInstallation.spec.js`:
- Around line 1301-1375: Add a test in the access-control describe block
covering DELETE on _Installation for an authenticated non-master user, mirroring
the setup and session-token headers from “blocks the find operation for an
authenticated non-master user.” Assert the request returns OPERATION_FORBIDDEN
with “Permission denied,” then verify via a master-key query that the
installation row remains present.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ea810e75-461c-4062-8d6e-5cd4ec24dbad

📥 Commits

Reviewing files that changed from the base of the PR and between 7d4d135 and 5f02b5f.

📒 Files selected for processing (1)
  • spec/ParseInstallation.spec.js

Comment thread spec/ParseInstallation.spec.js
@mtrezza

mtrezza commented Jul 14, 2026

Copy link
Copy Markdown
Member Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 14, 2026

Copy link
Copy Markdown
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@codecov

codecov Bot commented Jul 14, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.69%. Comparing base (d577327) to head (c223be6).
⚠️ Report is 1 commits behind head on alpha.

Additional details and impacted files
@@            Coverage Diff             @@
##            alpha   #10578      +/-   ##
==========================================
+ Coverage   92.68%   92.69%   +0.01%     
==========================================
  Files         193      193              
  Lines       17025    17025              
  Branches      248      248              
==========================================
+ Hits        15779    15781       +2     
+ Misses       1225     1223       -2     
  Partials       21       21              

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@mtrezza

mtrezza commented Jul 14, 2026

Copy link
Copy Markdown
Member Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 14, 2026

Copy link
Copy Markdown
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@mtrezza mtrezza merged commit d76845f into parse-community:alpha Jul 14, 2026
24 of 25 checks passed
@parseplatformorg

Copy link
Copy Markdown
Contributor

🎉 This change has been released in version 9.10.1-alpha.2

@parseplatformorg parseplatformorg added the state:released-alpha Released as alpha version label Jul 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

state:released-alpha Released as alpha version

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants