Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Removing a non-existing user leads to server return "Insufficient auth" #5129

Closed
reallyimeric opened this issue Oct 18, 2018 · 4 comments
Closed

Removing a non-existing user leads to server return "Insufficient auth" #5129

reallyimeric opened this issue Oct 18, 2018 · 4 comments

Comments

@reallyimeric
Copy link
Contributor

Issue Description

Server returns "Insufficient auth" error for removing a non-existing user, even we use the master key for this request.

Steps to reproduce

  1. setup a fresh parse server
  2. remove an user with an non-existing objectId, using rest API or Parse.User.createWithoutData(), with master key provided
  3. see the server response

Expected Results

Server reports either ok or "user not found" with an appropriate error code

Actual Outcome

Server reports {"code":206,"error":"Insufficient auth."}

Environment Setup

  • Server

    • parse-server version (Be specific! Don't say 'latest'.) : 3.0.0
    • Operating System: linux
    • Hardware: x86_64
    • Localhost or remote server? (AWS, Heroku, Azure, Digital Ocean, etc): localhost

  • Database

    • MongoDB version: mongodb 3.6.5 WiredTiger: 3.0.1: (January 8, 2018)
    • Storage engine: wiredtiger
    • Hardware: the same with the server
    • Localhost or remote server? (AWS, mLab, ObjectRocket, Digital Ocean, etc): the same with the server

Logs/Trace

error: Insufficient auth. code=206, message=Insufficient auth.
@georgesjamous
Copy link
Contributor

If I am not mistaken, _User is a special class that requires the response to be a bit tweaked.
If someone is trying to delete a user, and the user could not be found, it is valid to return "Insufficient auth" instead of an "object not found" error like any other object. That is only if the request with/without session token.

On the other hand, if the request is using the master key then I guess and "object not found" error would be more appropriate.

With a quick look i found the origin of your issue, its around here

parse-server/src/rest.js

Line 253 in 318a784

function handleSessionMissingError(error, className) {

Specifically when this fails

parse-server/src/rest.js

Line 90 in 318a784

function del(config, auth, className, objectId) {

so i guess an additional check for masterKey would go in "handleSessionMissingError(error, className)"

what do you think @flovilmart ?

@flovilmart
Copy link
Contributor

That could be changed indeed, but not really a bug either. If of you want to fix it, feel free to open a PR.

@georgesjamous georgesjamous mentioned this issue Oct 19, 2018
Merged
@georgesjamous
Copy link
Contributor

georgesjamous commented Oct 19, 2018
edited
Loading

Yes, it's not a bug but the error message could be more appropriate.
Anyway, I created a PR should you want to check it.

@levigroker levigroker mentioned this issue Oct 25, 2018
Closed
@stale
Copy link

stale bot commented Dec 3, 2018

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the wontfix label Dec 3, 2018
@stale stale bot closed this as completed Dec 10, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@flovilmart @reallyimeric @georgesjamous