Session objects can be updated or created for any user without using master key

[cchang-polyvore]

Issue Description

Session objects can be updated or created through REST API without using master key. Specifically, a user can update his/her current session's user field to other users, or add a new session object associated to other users.

Steps to reproduce

Update current session

1. Log in to parse application
2. Retrieve current session through https://cabana.yahoo.com/parse/sessions/me
3. Update the current session's user field through a PUT request
   curl -X PUT
   -H "X-Parse-Application-Id: myAppId"
   -H "X-Parse-Session-Token: mySessionToken"
   -G
   --data-urlencode "where={"user":{"__type":"Pointer","className":"_User","objectId":""}}"
   /sessions/

Create new session

1. Log in to parse application
2. Create a new session though a POST request
   curl -X POST
   -H "X-Parse-Application-Id: myAppId"
   -H "X-Parse-Session-Token: mySessionToken"
   -G
   --data-urlencode "where={"user":{"__type":"Pointer","className":"_User","objectId":""}}"
   /sessions/

Expected Results

Session should not be writable once created. In addition, users should not be able to create sessions associated to any user.

Actual Outcome

Sessions can be modified or created to associate to any user.

Environment Setup

• Server

  • parse-server version (Be specific! Don't say 'latest'.) : 2.3.7
  • Localhost or remote server? (AWS, Heroku, Azure, Digital Ocean, etc): Heroku

• Database

  • MongoDB version: 3.2.16
  • Localhost or remote server? (AWS, mLab, ObjectRocket, Digital Ocean, etc): mLab

[flovilmart]

we'll have a look.

[flovilmart]

Specifically, a user can update his/her current session's user field to other users, or add a new session object associated to other users.

Ok, updating the user fields should not be permitted not the sessionToken, nor the installationId.

Thanks for reporting it.

[cchang-polyvore]

Thanks for looking into it!

[flovilmart]

@cchang-polyvore it's been released part of 2.6.2!