fix: feedbacks

Author: coratgerl

spec/ParseQuery.spec.js

@@ -5385,39 +5385,86 @@ describe('Parse.Query testing', () => {
     });
   });
 
-  it_id('DEPPS12')(it_only_db('mongo'))(
-    'throws error when using explain without master key',
+  it_id('a1b2c3d4-e5f6-4a7b-8c9d-0e1f2a3b4c5d')(it_only_db('mongo'))(
+    'explain works with and without master key when allowPublicExplain is true',
     async () => {
+      await reconfigureServer({
+        databaseURI: 'mongodb://localhost:27017/parse',
+        databaseAdapter: null,
+        databaseOptions: {
+          allowPublicExplain: true,
+        },
+      });
+
       const obj = new TestObject({ foo: 'bar' });
       await obj.save();
 
-      const spyLogRuntimeDeprecation = spyOn(Deprecator, 'logRuntimeDeprecation');
-
-      // Test that explain without master key throws an error
+      // Without master key
       const query = new Parse.Query(TestObject);
       query.explain();
+      const resultWithoutMasterKey = await query.find();
+      expect(resultWithoutMasterKey).toBeDefined();
 
-      try {
-        await query.find();
+      // With master key
+      const queryWithMasterKey = new Parse.Query(TestObject);
+      queryWithMasterKey.explain();
+      const resultWithMasterKey = await queryWithMasterKey.find({ useMasterKey: true });
+      expect(resultWithMasterKey).toBeDefined();
+    }
+  );
 
-        expect(spyLogRuntimeDeprecation).toHaveBeenCalledTimes(1);
-        expect(spyLogRuntimeDeprecation).toHaveBeenCalledWith({
-          usage: 'Using the explain query parameter without the master key',
-        });
-        // fail('Should have thrown an error');
-      } catch (error) {
-        // Uncomment this after the Deprecation DEPPS12
-        // expect(error.code).toEqual(Parse.Error.INVALID_QUERY);
-        // expect(error.message).toEqual('Using the explain query parameter without the master key');
-      }
+  it_id('b2c3d4e5-f6a7-4b8c-9d0e-1f2a3b4c5d6e')(it_only_db('mongo'))(
+    'explain requires master key when allowPublicExplain is false',
+    async () => {
+      console.log("just before test")
+      await reconfigureServer({
+        databaseURI: 'mongodb://localhost:27017/parse',
+        databaseAdapter: null,
+        databaseOptions: {
+          allowPublicExplain: false,
+        },
+      });
+
+      const obj = new TestObject({ foo: 'bar' });
+      await obj.save();
+
+      // Without master key
+      const query = new Parse.Query(TestObject);
+      query.explain();
+      await expectAsync(query.find()).toBeRejectedWith(
+        new Parse.Error(
+          Parse.Error.INVALID_QUERY,
+          'Using the explain query parameter requires the master key'
+        )
+      );
 
-      // Test that explain with master key works fine
+      // With master key
       const queryWithMasterKey = new Parse.Query(TestObject);
       queryWithMasterKey.explain();
       const result = await queryWithMasterKey.find({ useMasterKey: true });
-
-      // Should return explain result (not throw error)
       expect(result).toBeDefined();
     }
   );
+
+  it_id('c3d4e5f6-a7b8-4c9d-0e1f-2a3b4c5d6e7f')(it_only_db('mongo'))(
+    'explain works with and without master key by default (allowPublicExplain not set)',
+    async () => {
+      await reconfigureServer({});
+
+      const obj = new TestObject({ foo: 'bar' });
+      await obj.save();
+
+      // Without master key (default behavior)
+      const query = new Parse.Query(TestObject);
+      query.explain();
+      const resultWithoutMasterKey = await query.find();
+      expect(resultWithoutMasterKey).toBeDefined();
+
+      // With master key
+      const queryWithMasterKey = new Parse.Query(TestObject);
+      queryWithMasterKey.explain();
+      const resultWithMasterKey = await queryWithMasterKey.find({ useMasterKey: true });
+      expect(resultWithMasterKey).toBeDefined();
+    }
+  );
 });

src/Adapters/Storage/Mongo/MongoStorageAdapter.js

@@ -154,8 +154,13 @@ export class MongoStorageAdapter implements StorageAdapter {
     this.enableSchemaHooks = !!mongoOptions.enableSchemaHooks;
     this.schemaCacheTtl = mongoOptions.schemaCacheTtl;
     this.disableIndexFieldValidation = !!mongoOptions.disableIndexFieldValidation;
-    for (const key of ['enableSchemaHooks', 'schemaCacheTtl', 'maxTimeMS', 'disableIndexFieldValidation']) {
-      delete mongoOptions[key];
+    for (const key of [
+      'enableSchemaHooks',
+      'schemaCacheTtl',
+      'maxTimeMS',
+      'disableIndexFieldValidation',
+      'allowPublicExplain',
+    ]) {
       delete this._mongoOptions[key];
     }
   }

src/Config.js

@@ -602,6 +602,11 @@ export class Config {
     } else if (typeof databaseOptions.schemaCacheTtl !== 'number') {
       throw `databaseOptions.schemaCacheTtl must be a number`;
     }
+    if (databaseOptions.allowPublicExplain === undefined) {
+      databaseOptions.allowPublicExplain = DatabaseOptions.allowPublicExplain.default;
+    } else if (typeof databaseOptions.allowPublicExplain !== 'boolean') {
+      throw `databaseOptions.allowPublicExplain must be a boolean`;
+    }
   }
 
   static validateRateLimit(rateLimit) {

src/Deprecator/Deprecations.js

@@ -18,4 +18,10 @@
 module.exports = [
   { optionKey: 'encodeParseObjectInCloudFunction', changeNewDefault: 'true' },
   { optionKey: 'enableInsecureAuthAdapters', changeNewDefault: 'false' },
+  {
+    optionKey: 'databaseOptions.allowPublicExplain',
+    changeNewDefault: 'false',
+    solution:
+      'To prepare for the future change, set Parse Server option databaseOptions.allowPublicExplain to false and ensure explain queries are only made with master key.',
+  },
 ];

src/Options/Definitions.js

@@ -1083,6 +1083,13 @@ module.exports.FileUploadOptions = {
   },
 };
 module.exports.DatabaseOptions = {
+  allowPublicExplain: {
+    env: 'PARSE_SERVER_DATABASE_ALLOW_PUBLIC_EXPLAIN',
+    help:
+      'Set to `true` to allow explain queries without master key. This option is deprecated and the default will change to `false` in a future version.',
+    action: parsers.booleanParser,
+    default: true,
+  },
   autoSelectFamily: {
     env: 'PARSE_SERVER_DATABASE_AUTO_SELECT_FAMILY',
     help:

src/Options/docs.js

@@ -634,6 +634,9 @@ export interface DatabaseOptions {
   autoSelectFamilyAttemptTimeout: ?number;
   /* Set to `true` to disable validation of index fields. When disabled, indexes can be created even if the fields do not exist in the schema. This can be useful when creating indexes on fields that will be added later. */
   disableIndexFieldValidation: ?boolean;
+  /* Set to `true` to allow explain queries without master key. This option is deprecated and the default will change to `false` in a future version.
+  :DEFAULT: true */
+  allowPublicExplain: ?boolean;
 }
 
 export interface AuthAdapter {

src/Options/index.js

@@ -13,7 +13,6 @@ var RestQuery = require('./RestQuery');
 var RestWrite = require('./RestWrite');
 var triggers = require('./triggers');
 const { enforceRoleSecurity } = require('./SharedRest');
-const Deprecator = require('./Deprecator/Deprecator');
 
 function checkTriggers(className, config, types) {
   return types.some(triggerType => {
@@ -37,16 +36,14 @@ async function runFindTriggers(
   const { isGet } = options;
 
   if (restOptions && restOptions.explain && !auth.isMaster) {
-    // After the Deprecation DEPPS12 uncomment this to throw an error
-    // throw new Parse.Error(
-    //   Parse.Error.INVALID_QUERY,
-    //   'Using the explain query parameter without the master key'
-    // );
+    const allowPublicExplain = config.databaseOptions?.allowPublicExplain ?? true;
 
-    // Deprecation DEPPS12
-    Deprecator.logRuntimeDeprecation({
-      usage: 'Using the explain query parameter without the master key',
-    });
+    if (!allowPublicExplain) {
+      throw new Parse.Error(
+        Parse.Error.INVALID_QUERY,
+        'Using the explain query parameter requires the master key'
+      );
+    }
   }
 
   // Run beforeFind trigger - may modify query or return objects directly