Module: Parse::API::Objects::ClassMethods

Defined in:
lib/parse/api/objects.rb

Overview

Class methods to be applied to Client

Instance Method Summary collapse

Instance Method Details

#uri_path(className, id = nil) ⇒ String

Get the API path for this class.

Both className and id are validated to prevent path-smuggling attacks where an attacker-controlled string traverses to a different REST endpoint (e.g. β€œ../sessions/me”) with whatever auth the outer request carries β€” typically the master key.

Parameters:

  • className (String)

    the name of the Parse collection.

  • id (String, nil) (defaults to: nil)

    optional objectId to add at the end of the path.

Returns:

  • (String)

    the API uri path

Raises:

  • (ArgumentError)

    if className or id violates the strict identifier / objectId patterns.



49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
 
# File 'lib/parse/api/objects.rb', line 49

def uri_path(className, id = nil)
  if className.is_a?(Parse::Pointer)
    id = className.id
    className = className.parse_class
  end
  className = Parse::API::PathSegment.identifier!(className, kind: "className")
  if id
    id_str = id.to_s
    unless OBJECT_ID_PATTERN.match?(id_str)
      raise ArgumentError,
            "objectId #{id_str.inspect} contains characters not " \
            "allowed in a Parse objectId. Must match " \
            "/\\A[A-Za-z0-9]{1,40}\\z/."
    end
    id = id_str
  end
  uri = "#{CLASS_PATH_PREFIX}#{className}"
  class_prefix = className.downcase.to_sym
  if PREFIX_MAP.has_key?(class_prefix)
    uri = PREFIX_MAP[class_prefix]
  end
  id.present? ? "#{uri}/#{id}" : "#{uri}/"
end