ProtectedFields not properly used in beforeSave trigger #7244
Description
New Issue Checklist
- [ x] I am not disclosing a vulnerability.
- [ x] I am not just asking a question.
- [ x] I have searched through existing issues.
- I can reproduce the issue with the latest version of Parse Server.
Issue Description
On Parse Server 4.3.0 (I haven't tried on newer release yet) there's an issue with Protected Fields in the beforeSave trigger. It seems the object is fetched without any identification (no user token or no master key), as the fields that are marked as "protected for public access (*)" are not available in the beforeSave object, whereas the owner of the object (identified with a userField:owner pointer) should have access to every fields
Steps to reproduce
- add a full access for a userField pointer
- add a protected field for public (*)
- perform an update of the object while being identified as the owner
- check the protected field presence
Actual Outcome
The protected field is not in the beforeSave object
Expected Outcome
As the user is the owner, he should have full access
Environment
Server
- Parse Server version: 4.3.0
- Local or remote host (AWS, Azure, Google Cloud, Heroku, Digital Ocean, etc):
local&AWS
Database
- System (MongoDB or Postgres):
MongoDB - Database version:
3.6 - Local or remote host (MongoDB Atlas, mLab, AWS, Azure, Google Cloud, etc):
MongoDB Atlas
Client
- SDK (iOS, Android, JavaScript, PHP, Unity, etc):
iOS