Embedded document modification requires addField permission

[mstniy]

New Issue Checklist

• [x] I am not disclosing a vulnerability.
• [x] I am not just asking a question.
• [x] I have searched through existing issues.
• [x] I can reproduce the issue with the latest version of Parse Server.

Issue Description

Using PUT to modify a nested document fails unless the caller has addField permissions, even if the request doesn't add a new field.

Steps to reproduce

1. Create a new class, nested_test.
2. Remove public addField permission from the class.
3. Use PUSH to create this object: { "a": {"b":1}}
4. Use PUT to change the 1 to a 2 : {"a.b": 4}
5. Observer that the operation fails due to a lack of addField permission.
6. Grant addField to the public for the class.
7. Observe that the request now successfully modifies the nested key.

Actual Outcome

The first PUT request should succeed, even without the addField permission, because it does not add a new field.

Expected Outcome

It fails due to a lack of addField permission.

Failing Test Case / Pull Request

• [x] 🤩 I submitted a PR with a fix and a test case.
• [ ] 🧐 I submitted a PR with a failing test case.

Environment

Server

• Parse Server version: 94b7b32 , a commit from 19/04/2021
• Operating system: Ubuntu 20.04
• Local or remote host (AWS, Azure, Google Cloud, Heroku, Digital Ocean, etc): local

Database

• System (MongoDB or Postgres): MongoDB
• Database version: 4.4.5
• Local or remote host (MongoDB Atlas, mLab, AWS, Azure, Google Cloud, etc): local

Client

• SDK (iOS, Android, JavaScript, PHP, Unity, etc): any
• SDK version: any

Logs

[mstniy]

6687 may be related

[mtrezza]

Thanks for reporting!

I label this as needs more info until the test in the PR ails and confirms that this does not work.

I changed to title to be specific about adding a new object key. If I understand correctly, modifying an existing key does not require "add field" permission.

[mstniy]

If I understand correctly, modifying an existing key does not require "add field" permission.

It indeed does, if one tries to modify a key of a nested document.

[mtrezza]

So the issue occurs when modifying an existing key and when adding a new key?

[mstniy]

When modifying a nested object, no matter whether you are introducing a new key to the nested object or modifying a key that already exists.

[mtrezza]

Thanks for clarifying, so I commented on your PR to include tests for both scenarios.