⚡ Release 2.7.1

(#4410)
* Adds failing test for 4409

* Adds fix

* ⚡ Release 2.7.1

CHANGELOG.md

@@ -3,9 +3,18 @@
 ### master
 [Full Changelog](https://github.com/parse-community/parse-server/compare/2.7.0...master)
 
+### 2.7.1
+[Full Changelog](https://github.com/parse-community/parse-server/compare/2.7.1...2.7.0)
+
+:warning: Fixes a security issue affecting Class Level Permissions
+
+* Adds support for dot notation when using matchesKeyInQuery, thanks to [Henrik](https://github.com/bohemima) and [Arthur Cinader](https://github.com/acinader)
+
 ### 2.7.0
 [Full Changelog](https://github.com/parse-community/parse-server/compare/2.7.0...2.6.5)
 
+:warning: This version contains an issue affecting Class Level Permissions on mongoDB. Please upgrade to 2.7.1.
+
 Starting parse-server 2.7.0, the minimun nodejs version is 6.11.4, please update your engines before updating parse-server
 
 #### New Features:

package.json

@@ -1,6 +1,6 @@
 {
   "name": "parse-server",
-  "version": "2.7.0",
+  "version": "2.7.1",
   "description": "An express module providing a Parse-compatible API server",
   "main": "lib/index.js",
   "repository": {

spec/schemas.spec.js

@@ -2,6 +2,7 @@
 
 var Parse = require('parse/node').Parse;
 var request = require('request');
+const rp = require('request-promise');
 var dd = require('deep-diff');
 var Config = require('../src/Config');
 
@@ -1721,6 +1722,35 @@ describe('schemas', () => {
     });
   });
 
+
+  it("regression test for #4409 (indexes override the clp)", done => {
+    setPermissionsOnClass('_Role', {
+      'get': {"*": true},
+      'find': {"*": true},
+      'create': {'*': true},
+    }, true).then(() => {
+      const config = Config.get('test');
+      return config.database.adapter.updateSchemaWithIndexes();
+    }).then(() => {
+      return rp.get({
+        url: 'http://localhost:8378/1/schemas/_Role',
+        headers: masterKeyHeaders,
+        json: true,
+      });
+    }).then((res) => {
+      expect(res.classLevelPermissions).toEqual({
+        'get': {"*": true},
+        'find': {"*": true},
+        'create': {'*': true},
+        'update': {},
+        'delete': {},
+        'addField': {},
+      });
+      console.log(res);
+    }).then(done).catch(done.fail);
+  });
+
+
   it('regression test for #2246', done => {
     const profile = new Parse.Object('UserProfile');
     const user = new Parse.User();

src/Adapters/Storage/Mongo/MongoStorageAdapter.js

@@ -166,7 +166,7 @@ export class MongoStorageAdapter {
   setClassLevelPermissions(className, CLPs) {
     return this._schemaCollection()
       .then(schemaCollection => schemaCollection.updateSchema(className, {
-        $set: { _metadata: { class_permissions: CLPs } }
+        $set: { '_metadata.class_permissions': CLPs }
       }));
   }
 
@@ -212,7 +212,7 @@ export class MongoStorageAdapter {
       .then(() => insertPromise)
       .then(() => this._schemaCollection())
       .then(schemaCollection => schemaCollection.updateSchema(className, {
-        $set: { _metadata: { indexes: existingIndexes } }
+        $set: { '_metadata.indexes':  existingIndexes }
       }));
   }
 
@@ -231,7 +231,7 @@ export class MongoStorageAdapter {
       }, {});
       return this._schemaCollection()
         .then(schemaCollection => schemaCollection.updateSchema(className, {
-          $set: { _metadata: { indexes: indexes } }
+          $set: { '_metadata.indexes': indexes }
         }));
     }).catch(() => {
       // Ignore if collection not found