Cannot create Parse Role after "fix: return correct response when revert is used in beforeSave #7839"

[AlbinIzi]

New Issue Checklist

• I am not disclosing a vulnerability.
• I am not just asking a question.
• I have searched through existing issues.
• I can reproduce the issue with the latest version of Parse Server.

Issue Description

The PR #7839 introduce a regression. We cannot create a Parse.Role anymore if we have a beforeSave on Parse.Role.
We get an error: TypeError: Tried to create an ACL with an invalid permission type.

Steps to reproduce

Add this test in spec/CloudCode.spec.js:

  it('create role with name and ACL and a beforeSave', async () => {
    Parse.Cloud.beforeSave(Parse.Role, ({ object }) => {
      // do nothing, it's just to reproduce the bug, we must have a beforeSave
      return object;
    });

    const obj = new Parse.Role('TestRole', new Parse.ACL({ '*': { read: true, write: true } }));
    await obj.save();

    expect(obj.getACL()).toEqual(new Parse.ACL({ '*': { read: true, write: true } }));
    expect(obj.get('name')).toEqual('TestRole');
    await obj.fetch();

    expect(obj.getACL()).toEqual(new Parse.ACL({ '*': { read: true, write: true } }));
    expect(obj.get('name')).toEqual('TestRole');
  });

Actual Outcome

Message:
TypeError: Tried to create an ACL with an invalid permission type.
Stack:
at
at new ParseACL (/Users/albin/iziwork/parse-server/node_modules/parse/lib/node/ParseACL.js:69:21)
at ParseRole._handleSaveResponse (/Users/albin/iziwork/parse-server/node_modules/parse/lib/node/ParseObject.js:614:25)
at /Users/albin/iziwork/parse-server/node_modules/parse/lib/node/ParseObject.js:3183:22
at processTicksAndRejections (node:internal/process/task_queues:96:5)

Expected Outcome

The created role with the right name and ACL.

Environment

Server

• Parse Server version: 5.3.3
• Operating system: MacOS
• Local or remote host (AWS, Azure, Google Cloud, Heroku, Digital Ocean, etc): local

Database

• System (MongoDB or Postgres): MongoDB
• Database version: 5.2.1
• Local or remote host (MongoDB Atlas, mLab, AWS, Azure, Google Cloud, etc): local

Client

• SDK (iOS, Android, JavaScript, PHP, Unity, etc): JavaScript
• SDK version: 3.4.2

Logs

[parse-github-assistant]

Thanks for opening this issue!

• 🚀 You can help us to fix this issue faster by opening a pull request with a failing test. See our Contribution Guide for how to make a pull request, or read our New Contributor's Guide if this is your first time contributing.

[AlbinIzi]

From my understanding, with PR 7839, the buildParseObjects function is now called after the save.
The problem is that buildParseObjects function call set on Parse.Role that call validate on Parse.Role which failing (ParseError: A role's name can only be set before it has been saved) so pendingOps are not set on the new created Parse.Role object.
The result is that we have a difference between pendingOps before the beforeSave and after the save so the name and ACL fields are marked as deleted: { __op: 'Delete' } which is not a valid ACL value.

[AlbinIzi]

I don't know the impacts but since buildParseObjects was not called before and because validation have already been done, we could add an optional options parameter to buildParseObjects function (default value: { ignoreValidation: false }) to use it when updatedObject.set(sanitized) is called.
In _updateResponseWithData the buildParseObjects will be called with { ignoreValidation: true } to disable validation after the save.
What do you think ?

[parseplatformorg]

🎉 This change has been released in version 6.0.0-alpha.10

[AlbinIzi]

Thanks ! Is it possible to fix this issue in 5.3.4 please ?

[mtrezza]

See my answer here

[parseplatformorg]

🎉 This change has been released in version 6.0.0-beta.1

[parseplatformorg]

🎉 This change has been released in version 6.0.0