Class: Parse::Constraint::NotReadableByConstraint
- Inherits:
-
Parse::Constraint
- Object
- Parse::Constraint
- Parse::Constraint::NotReadableByConstraint
- Defined in:
- lib/parse/query/constraints.rb
Overview
Note:
"Not readable by X" excludes rows readable by X directly, via any role X inherits, AND publicly — so a User value expands its roles and the public +"*"+ is always added to the exclusion set.
Note:
This constraint uses aggregation pipeline because Parse Server restricts direct queries on the internal _rperm field.
ACL NOT Readable By Constraint Query objects that are NOT readable by the specified users/roles. Useful for finding objects hidden from specific users.
Instance Attribute Summary
Attributes inherited from Parse::Constraint
#operand, #operation, #operator, #value
Instance Method Summary collapse
Methods inherited from Parse::Constraint
#as_json, constraint_keyword, create, formatted_value, #formatted_value, #initialize, #key, #precedence, #regex_unicode_option, register, #to_s
Constructor Details
This class inherits a constructor from Parse::Constraint
Instance Method Details
#build ⇒ Object
3232 3233 3234 3235 3236 3237 3238 3239 3240 3241 3242 3243 3244 3245 3246 3247 3248 3249 3250 3251 3252 |
# File 'lib/parse/query/constraints.rb', line 3232 def build keys = ACLPermissions.collect_for_negation(@value) return { "__aggregation_pipeline" => [] } if keys.empty? # Find objects whose _rperm EXISTS and does NOT contain any of the # keys. The `$exists: true` guard is essential: Parse Server treats a # missing `_rperm` as publicly readable, and MongoDB's `$nin` matches # documents where the field is absent. Without the guard, # `not_readable_by("*")` (i.e. #not_publicly_readable) would MATCH the # public-by-absence rows it is meant to exclude — inverting the result # and giving a security audit a false sense of safety. pipeline = [ { "$match" => { "_rperm" => { "$exists" => true, "$nin" => keys }, }, }, ] { "__aggregation_pipeline" => pipeline } end |