From b52249991283b7bf5c7bcd81c9086e3c6501e007 Mon Sep 17 00:00:00 2001 From: Manuel Trezza <5673677+mtrezza@users.noreply.github.com> Date: Thu, 5 Mar 2026 02:03:08 +0000 Subject: [PATCH] fix --- spec/rest.spec.js | 26 ++++++++++++++++++++++++++ src/Routers/UsersRouter.js | 7 +++++++ 2 files changed, 33 insertions(+) diff --git a/spec/rest.spec.js b/spec/rest.spec.js index ddcd42adc4..392a4ac1da 100644 --- a/spec/rest.spec.js +++ b/spec/rest.spec.js @@ -1364,6 +1364,32 @@ describe('read-only masterKey', () => { expect(res.data.error).toBe('Permission denied'); } }); + + it('should throw when trying to loginAs with readOnlyMasterKey', async () => { + // Create a target user + await Parse.User.signUp('readonly-loginas-test', 'password123'); + const userId = Parse.User.current().id; + await Parse.User.logOut(); + + // Attempt loginAs with readOnlyMasterKey — should be rejected + loggerErrorSpy.calls.reset(); + try { + await request({ + method: 'POST', + url: `${Parse.serverURL}/loginAs`, + headers: { + 'X-Parse-Application-Id': Parse.applicationId, + 'X-Parse-Master-Key': 'read-only-test', + 'Content-Type': 'application/json', + }, + body: { userId }, + }); + fail('should have thrown'); + } catch (res) { + expect(res.data.code).toBe(Parse.Error.OPERATION_FORBIDDEN); + expect(res.data.error).toBe('Permission denied'); + } + }); }); describe('rest context', () => { diff --git a/src/Routers/UsersRouter.js b/src/Routers/UsersRouter.js index 6421d9abe1..0cf8247121 100644 --- a/src/Routers/UsersRouter.js +++ b/src/Routers/UsersRouter.js @@ -344,6 +344,13 @@ export class UsersRouter extends ClassesRouter { req.config ); } + if (req.auth.isReadOnly) { + throw createSanitizedError( + Parse.Error.OPERATION_FORBIDDEN, + "read-only masterKey isn't allowed to login as another user.", + req.config + ); + } const userId = req.body?.userId || req.query.userId; if (!userId) {