File tree Expand file tree Collapse file tree 1 file changed +9
-0
lines changed
Expand file tree Collapse file tree 1 file changed +9
-0
lines changed Original file line number Diff line number Diff line change @@ -1775,6 +1775,15 @@ describe('(GHSA-j7mm-f4rv-6q6q) Protected fields bypass via LiveQuery dot-notati
17751775 ) ;
17761776 } ) ;
17771777
1778+ it ( 'should reject LiveQuery subscription with protected field in $and' , async ( ) => {
1779+ // Build $and manually since Parse SDK doesn't expose it directly
1780+ const query = new Parse . Query ( 'SecretClass' ) ;
1781+ query . _where = { $and : [ { 'secretObj.apiKey' : 'SENSITIVE_KEY_123' } , { publicField : 'visible' } ] } ;
1782+ await expectAsync ( query . subscribe ( ) ) . toBeRejectedWith (
1783+ new Parse . Error ( Parse . Error . OPERATION_FORBIDDEN , 'Permission denied' )
1784+ ) ;
1785+ } ) ;
1786+
17781787 it ( 'should reject LiveQuery subscription with protected field in $nor' , async ( ) => {
17791788 // Build $nor manually since Parse SDK doesn't expose it directly
17801789 const query = new Parse . Query ( 'SecretClass' ) ;
You can’t perform that action at this time.
0 commit comments