From f53cb60d57f1eddedd3c4846b991ec5b8aa9ae62 Mon Sep 17 00:00:00 2001
From: Nikita Lutsenko <nlutsenko@me.com>
Date: Thu, 11 Feb 2016 21:53:32 -0800
Subject: [PATCH] Add enforceMasterKeyAccess middleware.

---
 spec/ParseFile.spec.js             |  8 ++++----
 src/Controllers/FilesController.js |  8 +-------
 src/middlewares.js                 | 13 +++++++++++--
 3 files changed, 16 insertions(+), 13 deletions(-)

diff --git a/spec/ParseFile.spec.js b/spec/ParseFile.spec.js
index 7287dd14db..8613f3a255 100644
--- a/spec/ParseFile.spec.js
+++ b/spec/ParseFile.spec.js
@@ -101,8 +101,8 @@ describe('Parse.File testing', () => {
       }, (error, response, body) => {
         expect(error).toBe(null);
         var del_b = JSON.parse(body);
-        expect(response.statusCode).toEqual(400);
-        expect(del_b.code).toEqual(119);
+        expect(response.statusCode).toEqual(403);
+        expect(del_b.error).toMatch(/unauthorized/);
         // incorrect X-Parse-Master-Key header
         request.del({
           headers: {
@@ -114,8 +114,8 @@ describe('Parse.File testing', () => {
         }, (error, response, body) => {
           expect(error).toBe(null);
           var del_b2 = JSON.parse(body);
-          expect(response.statusCode).toEqual(400);
-          expect(del_b2.code).toEqual(119);
+          expect(response.statusCode).toEqual(403);
+          expect(del_b2.error).toMatch(/unauthorized/);
           done();
         });
       });
diff --git a/src/Controllers/FilesController.js b/src/Controllers/FilesController.js
index 321042b97d..dac6b684d6 100644
--- a/src/Controllers/FilesController.js
+++ b/src/Controllers/FilesController.js
@@ -76,13 +76,6 @@ export class FilesController {
 
   deleteHandler() {
     return (req, res, next) => {
-      // enforce use of master key for file deletions
-      if(!req.auth.isMaster){
-        next(new Parse.Error(Parse.Error.OPERATION_FORBIDDEN,
-          'Master key required for file deletion.'));
-        return;
-      }
-
       this._filesAdapter.deleteFile(req.config, req.params.filename).then(() => {
         res.status(200);
         // TODO: return useful JSON here?
@@ -142,6 +135,7 @@ export class FilesController {
     router.delete('/files/:filename',
       Middlewares.allowCrossDomain,
       Middlewares.handleParseHeaders,
+      Middlewares.enforceMasterKeyAccess,
       this.deleteHandler()
     );
 
diff --git a/src/middlewares.js b/src/middlewares.js
index bb2512391a..a07b2a1b11 100644
--- a/src/middlewares.js
+++ b/src/middlewares.js
@@ -178,15 +178,24 @@ var handleParseErrors = function(err, req, res, next) {
   }
 };
 
+function enforceMasterKeyAccess(req, res, next) {
+  if (!req.auth.isMaster) {
+    res.status(403);
+    res.end('{"error":"unauthorized: master key is required"}');
+    return;
+  }
+  next();
+}
+
 function invalidRequest(req, res) {
   res.status(403);
   res.end('{"error":"unauthorized"}');
 }
 
-
 module.exports = {
   allowCrossDomain: allowCrossDomain,
   allowMethodOverride: allowMethodOverride,
   handleParseErrors: handleParseErrors,
-  handleParseHeaders: handleParseHeaders
+  handleParseHeaders: handleParseHeaders,
+  enforceMasterKeyAccess: enforceMasterKeyAccess
 };