Parse Cloud Parse.Query unauthorised

[ikarelin]

New Issue Checklist

• [x] I am not disclosing a vulnerability.
• [x] I am not just asking a question.
• [x] I have searched through existing issues.
• [x] I can reproduce the issue with the latest version of Parse Server.

Issue Description

I have created a simple Parse Cloud function and want to query an object.

Steps to reproduce

Just run the code

Parse.Cloud.afterSave("Bookings", (request) => {
    console.log("*** Received a new afterSave function on Bookings table with request: ", request);
    // Request bookings table posting ID
    const postingID = request.object.get('postingID');
    console.log("*** Got posting ID for booking: ", postingID);
    // Query the posting
    const CurrentPosting = Parse.Object.extend("Postings");
    const postingQuery = new Parse.Query(CurrentPosting);
    postingQuery.get(postingID).then((currentPosting) => {
      // The posting retrieved
      console.log('*** Posting retrieved !!!');
      //const postingName = currentPosting.get('name');
      //console.log('*** Got posting name for booking: ', postingName);
      //const postingOwner = currentPosting.get('ownerID');
      //console.log('*** Got owner ID for posting: ', postingOwner);
    }, (error) => {
      // The posting was not retrieved
      console.log('*** Error retreiving posting for booking !!!', error);
    });

Actual Outcome

Unauthorized error

Expected Outcome

Expected a Parse Object

Environment

Server

• Parse Server version: 4.10.4
• Operating system: Debian Buster
• Local or remote host (AWS, Azure, Google Cloud, Heroku, Digital Ocean, etc): Digital Ocean

Database

• System (MongoDB or Postgres): MongoDB
• Database version: 5.0.5
• Local or remote host (MongoDB Atlas, mLab, AWS, Azure, Google Cloud, etc): Own Server

Client

• SDK (iOS, Android, JavaScript, PHP, Unity, etc): JavaScript
• SDK version: Unknown

Logs

info: Parse LiveQuery Server starts running
*** Received a new afterSave function on Bookings table with request:  {
  triggerName: 'afterSave',
  object: ParseObject { _objCount: 8, className: 'Bookings', id: 'CXHpf9jLX9' },
  master: false,
  log: LoggerController {
    options: {
      jsonLogs: false,
      logsFolder: './logs/',
      verbose: false,
      logLevel: undefined,
      silent: undefined,
      maxLogFiles: undefined
    },
    appId: '2c8PP9ZpLAf0gMbluhYNQXysW6sS8S2s',
    debug: [Function (anonymous)],
    verbose: [Function (anonymous)],
    silly: [Function (anonymous)],
    [Symbol()]: WinstonLoggerAdapter {}
  },
  headers: {
    'x-real-ip': '91.79.35.150',
    'x-forwarded-for': '91.79.35.150',
    'x-nginx-proxy': 'true',
    connection: 'upgrade',
    host: 'easyrenty.com',
    'content-length': '373',
    'user-agent': 'Flutter Parse SDK 3.1.0',
    'x-parse-session-token': 'r:74d3ea1fe54bbd31a260c629675294c8',
    'x-parse-application-id': '2c8PP9ZpLAf0gMbluhYNQXysW6sS8S2s',
    'accept-encoding': 'gzip',
    'content-type': 'text/plain; charset=utf-8',
    'x-parse-client-key': 'GXUgDDHySdXYgQP5nYGP1sC8gpRalJ1T'
  },
  ip: '91.79.35.150',
  context: {},
  user: ParseUser { _objCount: 7, className: '_User', id: 'spNUyASEtw' }
}
*** Got posting ID for booking:  j2sBs39DCD
info: afterSave triggered for Bookings for user spNUyASEtw:
  Input: {"postingID":"j2sBs39DCD","dates":[{"__type":"Date","iso":"2021-12-22T12:45:00.000Z"},{"__type":"Date","iso":"2021-12-23T12:45:00.000Z"},{"__type":"Date","iso":"2021-12-24T12:45:00.000Z"},{"__type":"Date","iso":"2021-12-25T12:45:00.000Z"}],"deliveryAddress":"Test Address","helmetsNumber":1,"clientID":"spNUyASEtw","isAccepted":false,"isDeclined":false,"isCompleted":false,"createdAt":"2021-12-22T12:44:25.977Z","updatedAt":"2021-12-22T12:44:25.977Z","objectId":"CXHpf9jLX9"} {"className":"Bookings","triggerType":"afterSave","user":"spNUyASEtw"}
info: afterSave triggered for Bookings for user spNUyASEtw:
  Input: {"postingID":"j2sBs39DCD","dates":[{"__type":"Date","iso":"2021-12-22T12:45:00.000Z"},{"__type":"Date","iso":"2021-12-23T12:45:00.000Z"},{"__type":"Date","iso":"2021-12-24T12:45:00.000Z"},{"__type":"Date","iso":"2021-12-25T12:45:00.000Z"}],"deliveryAddress":"Test Address","helmetsNumber":1,"clientID":"spNUyASEtw","isAccepted":false,"isDeclined":false,"isCompleted":false,"createdAt":"2021-12-22T12:44:25.977Z","updatedAt":"2021-12-22T12:44:25.977Z","objectId":"CXHpf9jLX9"}
  Result: undefined {"className":"Bookings","triggerType":"afterSave","user":"spNUyASEtw"}
***** Error retreiving posting for booking !!! ParseError: unauthorized**
    at handleError (/home/ikarelin/node_modules/parse/lib/node/RESTController.js:426:17)
    at processTicksAndRejections (node:internal/process/task_queues:96:5) {
  code: undefined
}

[parse-github-assistant[bot]]

Thanks for opening this issue!

• 🚀 You can help us to fix this issue faster by opening a pull request with a failing test. See our Contribution Guide for how to make a pull request, or read our New Contributor's Guide if this is your first time contributing.

[mtrezza]

Unauthorized error

Maybe the user is not allowed to execute the query? You could try using useMasterKey: true when executing the query. I suggest to simplify the code example and remove everything that is not necessary to reproduce the issue. If you could provide a complete example in form of a failing test (see /spec folder) we can look into this issue. Otherwise it's difficult to analyze because we cannot see which object and class level permissions you have set.

[ikarelin]

Parse.Cloud.afterSave("Bookings", (request) => {
    const postingID = request.object.get('postingID');
    const CurrentPosting = Parse.Object.extend("Postings");
    const postingQuery = new Parse.Query(CurrentPosting);
    postingQuery.get(postingID).then((currentPosting) => {
      // The posting retrieved
      console.log('*** Posting retrieved !!!');
    }, (error) => {
      // The posting was not retrieved
      console.log('*** Error retreiving posting for booking !!!', error);
    });
});

[ikarelin]

useMasterKey: true is fixed an issue.