Enhance ACL permission methods with array and pointer support

ACL permission methods (`readable_by?`, `writeable_by?`, `owner?`) now accept arrays for OR logic and support Parse::Pointer to User objects with automatic role expansion. Permission checks for users and pointers automatically include associated roles, improving flexibility for multi-user/role permission checks. Also fixes pointer constraint conversion in `group_by_date` for MongoDB aggregation, resolving empty result issues. Adds comprehensive tests for new ACL behaviors.

Author: AdrianCurtin

CHANGELOG.md

@@ -1,5 +1,16 @@
 ## Parse-Stack Changelog
 
+### 2.0.7
+
+- **NEW**: `readable_by?`, `writeable_by?`, and `owner?` ACL methods now accept arrays for OR logic
+- **NEW**: ACL permission methods now support Parse::Pointer to User objects with automatic role expansion
+- **ENHANCED**: ACL permission checking methods support checking if ANY user/role in an array has the specified permission
+- **ENHANCED**: When passed a Parse::User object or Parse::Pointer to User, automatically queries and checks the user's roles
+- **ENHANCED**: Array support works with user IDs and role names (strings)
+- **IMPROVED**: Better flexibility for checking permissions across multiple users and roles simultaneously
+- **IMPROVED**: Parse::Pointer to User queries roles without needing to fetch the full user object
+- **FIXED**: `group_by_date` now properly converts Parse pointer constraints to MongoDB aggregation format, fixing empty result issues when filtering by Parse object references
+
 ### 2.0.6
 
 - **NEW**: Added `:minute` and `:second` interval support to `group_by_date` for minute-level and second-level time grouping

lib/parse/model/acl.rb

@@ -436,19 +436,161 @@ def writeable_by
     end
     alias_method :writable_by, :writeable_by
 
-    # Checks if a specific user or role has read access to this object.
-    # @param user_or_role [String, Parse::User, Parse::Role] the user ID, role name, user object, or role object
-    # @return [Boolean] true if the user/role has read access
+    # Checks if a specific user or role (or any in an array) has read access to this object.
+    # When passed an array of strings, returns true if ANY of the users/roles have read access (OR logic).
+    # When passed a Parse::User object or pointer, automatically fetches and checks the user's roles as well.
+    # @param user_or_role [String, Parse::User, Parse::Pointer, Array<String>] the user ID, role name, user object, user pointer, or array of user IDs/role names
+    # @return [Boolean] true if the user/role (or any in the array) has read access
+    # @example
+    #   acl.readable_by?("user123")                    # Check single user ID
+    #   acl.readable_by?("Admin")                      # Check single role name
+    #   acl.readable_by?(user_object)                  # Check user + their roles
+    #   acl.readable_by?(user_pointer)                 # Check user pointer + their roles
+    #   acl.readable_by?(["user123", "Admin"])         # Check array (OR logic)
     def readable_by?(user_or_role)
+      # Handle arrays - check if ANY item in the array has read access (OR logic)
+      if user_or_role.is_a?(Array)
+        # For arrays, just check each string value directly (no User object expansion)
+        return user_or_role.any? do |item|
+          key = normalize_permission_key(item)
+          key && permissions[key]&.read == true
+        end
+      end
+
+      # Handle Parse::Pointer to User - expand to include user ID and roles
+      if user_or_role.is_a?(Parse::Pointer) || (user_or_role.respond_to?(:parse_class) && user_or_role.respond_to?(:id))
+        # Check if it's a pointer to a User
+        if user_or_role.respond_to?(:parse_class) && (user_or_role.parse_class == "User" || user_or_role.parse_class == "_User")
+          permissions_to_check = []
+
+          # Add the user ID from the pointer
+          user_id = user_or_role.respond_to?(:id) ? user_or_role.id : nil
+          permissions_to_check << user_id if user_id.present?
+
+          # Query roles directly using the user pointer (no need to fetch the full user)
+          begin
+            if user_id.present? && defined?(Parse::Role)
+              user_roles = Parse::Role.all(users: user_or_role)
+              user_roles.each do |role|
+                permissions_to_check << "role:#{role.name}" if role.respond_to?(:name) && role.name.present?
+              end
+            end
+          rescue => e
+            # If role fetching fails, continue with just the user ID
+          end
+
+          # Check if any of the user's permissions (user ID or roles) have read access
+          return readable_by?(permissions_to_check) if permissions_to_check.any?
+          return false
+        end
+      end
+
+      # If it's a User object, expand it to include the user ID and all their roles
+      if user_or_role.is_a?(Parse::User) || (user_or_role.respond_to?(:is_a?) && user_or_role.is_a?(Parse::User))
+        permissions_to_check = []
+
+        # Add the user ID
+        permissions_to_check << user_or_role.id if user_or_role.respond_to?(:id) && user_or_role.id.present?
+
+        # Fetch and add all the user's roles
+        begin
+          if user_or_role.respond_to?(:id) && user_or_role.id.present? && defined?(Parse::Role)
+            user_roles = Parse::Role.all(users: user_or_role)
+            user_roles.each do |role|
+              permissions_to_check << "role:#{role.name}" if role.respond_to?(:name) && role.name.present?
+            end
+          end
+        rescue => e
+          # If role fetching fails, continue with just the user ID
+        end
+
+        # Check if any of the user's permissions (user ID or roles) have read access
+        # Use array checking logic (OR)
+        return readable_by?(permissions_to_check) if permissions_to_check.any?
+        return false
+      end
+
+      # Single string value - check directly
       key = normalize_permission_key(user_or_role)
       return false unless key
       permissions[key]&.read == true
     end
 
-    # Checks if a specific user or role has write access to this object.
-    # @param user_or_role [String, Parse::User, Parse::Role] the user ID, role name, user object, or role object
-    # @return [Boolean] true if the user/role has write access
+    # Checks if a specific user or role (or any in an array) has write access to this object.
+    # When passed an array of strings, returns true if ANY of the users/roles have write access (OR logic).
+    # When passed a Parse::User object or pointer, automatically fetches and checks the user's roles as well.
+    # @param user_or_role [String, Parse::User, Parse::Pointer, Array<String>] the user ID, role name, user object, user pointer, or array of user IDs/role names
+    # @return [Boolean] true if the user/role (or any in the array) has write access
+    # @example
+    #   acl.writeable_by?("user123")                   # Check single user ID
+    #   acl.writeable_by?("Admin")                     # Check single role name
+    #   acl.writeable_by?(user_object)                 # Check user + their roles
+    #   acl.writeable_by?(user_pointer)                # Check user pointer + their roles
+    #   acl.writeable_by?(["user123", "Admin"])        # Check array (OR logic)
     def writeable_by?(user_or_role)
+      # Handle arrays - check if ANY item in the array has write access (OR logic)
+      if user_or_role.is_a?(Array)
+        # For arrays, just check each string value directly (no User object expansion)
+        return user_or_role.any? do |item|
+          key = normalize_permission_key(item)
+          key && permissions[key]&.write == true
+        end
+      end
+
+      # Handle Parse::Pointer to User - expand to include user ID and roles
+      if user_or_role.is_a?(Parse::Pointer) || (user_or_role.respond_to?(:parse_class) && user_or_role.respond_to?(:id))
+        # Check if it's a pointer to a User
+        if user_or_role.respond_to?(:parse_class) && (user_or_role.parse_class == "User" || user_or_role.parse_class == "_User")
+          permissions_to_check = []
+
+          # Add the user ID from the pointer
+          user_id = user_or_role.respond_to?(:id) ? user_or_role.id : nil
+          permissions_to_check << user_id if user_id.present?
+
+          # Query roles directly using the user pointer (no need to fetch the full user)
+          begin
+            if user_id.present? && defined?(Parse::Role)
+              user_roles = Parse::Role.all(users: user_or_role)
+              user_roles.each do |role|
+                permissions_to_check << "role:#{role.name}" if role.respond_to?(:name) && role.name.present?
+              end
+            end
+          rescue => e
+            # If role fetching fails, continue with just the user ID
+          end
+
+          # Check if any of the user's permissions (user ID or roles) have write access
+          return writeable_by?(permissions_to_check) if permissions_to_check.any?
+          return false
+        end
+      end
+
+      # If it's a User object, expand it to include the user ID and all their roles
+      if user_or_role.is_a?(Parse::User) || (user_or_role.respond_to?(:is_a?) && user_or_role.is_a?(Parse::User))
+        permissions_to_check = []
+
+        # Add the user ID
+        permissions_to_check << user_or_role.id if user_or_role.respond_to?(:id) && user_or_role.id.present?
+
+        # Fetch and add all the user's roles
+        begin
+          if user_or_role.respond_to?(:id) && user_or_role.id.present? && defined?(Parse::Role)
+            user_roles = Parse::Role.all(users: user_or_role)
+            user_roles.each do |role|
+              permissions_to_check << "role:#{role.name}" if role.respond_to?(:name) && role.name.present?
+            end
+          end
+        rescue => e
+          # If role fetching fails, continue with just the user ID
+        end
+
+        # Check if any of the user's permissions (user ID or roles) have write access
+        # Use array checking logic (OR)
+        return writeable_by?(permissions_to_check) if permissions_to_check.any?
+        return false
+      end
+
+      # Single string value - check directly
       key = normalize_permission_key(user_or_role)
       return false unless key
       permissions[key]&.write == true
@@ -499,10 +641,83 @@ def owners
       permissions.select { |k, v| v.read && v.write }.keys
     end
 
-    # Checks if a specific user or role has both read and write access to this object.
-    # @param user_or_role [String, Parse::User, Parse::Role] the user ID, role name, user object, or role object
-    # @return [Boolean] true if the user/role has both read and write access
+    # Checks if a specific user or role (or any in an array) has both read and write access to this object.
+    # When passed an array of strings, returns true if ANY of the users/roles have both read and write access (OR logic).
+    # When passed a Parse::User object or pointer, automatically fetches and checks the user's roles as well.
+    # @param user_or_role [String, Parse::User, Parse::Pointer, Array<String>] the user ID, role name, user object, user pointer, or array of user IDs/role names
+    # @return [Boolean] true if the user/role (or any in the array) has both read and write access
+    # @example
+    #   acl.owner?("user123")                          # Check single user ID
+    #   acl.owner?("Admin")                            # Check single role name
+    #   acl.owner?(user_object)                        # Check user + their roles
+    #   acl.owner?(user_pointer)                       # Check user pointer + their roles
+    #   acl.owner?(["user123", "Admin"])               # Check array (OR logic)
     def owner?(user_or_role)
+      # Handle arrays - check if ANY item in the array is an owner (OR logic)
+      if user_or_role.is_a?(Array)
+        # For arrays, just check each string value directly (no User object expansion)
+        return user_or_role.any? do |item|
+          key = normalize_permission_key(item)
+          next false unless key
+          perm = permissions[key]
+          perm&.read == true && perm&.write == true
+        end
+      end
+
+      # Handle Parse::Pointer to User - expand to include user ID and roles
+      if user_or_role.is_a?(Parse::Pointer) || (user_or_role.respond_to?(:parse_class) && user_or_role.respond_to?(:id))
+        # Check if it's a pointer to a User
+        if user_or_role.respond_to?(:parse_class) && (user_or_role.parse_class == "User" || user_or_role.parse_class == "_User")
+          permissions_to_check = []
+
+          # Add the user ID from the pointer
+          user_id = user_or_role.respond_to?(:id) ? user_or_role.id : nil
+          permissions_to_check << user_id if user_id.present?
+
+          # Query roles directly using the user pointer (no need to fetch the full user)
+          begin
+            if user_id.present? && defined?(Parse::Role)
+              user_roles = Parse::Role.all(users: user_or_role)
+              user_roles.each do |role|
+                permissions_to_check << "role:#{role.name}" if role.respond_to?(:name) && role.name.present?
+              end
+            end
+          rescue => e
+            # If role fetching fails, continue with just the user ID
+          end
+
+          # Check if any of the user's permissions (user ID or roles) are owners
+          return owner?(permissions_to_check) if permissions_to_check.any?
+          return false
+        end
+      end
+
+      # If it's a User object, expand it to include the user ID and all their roles
+      if user_or_role.is_a?(Parse::User) || (user_or_role.respond_to?(:is_a?) && user_or_role.is_a?(Parse::User))
+        permissions_to_check = []
+
+        # Add the user ID
+        permissions_to_check << user_or_role.id if user_or_role.respond_to?(:id) && user_or_role.id.present?
+
+        # Fetch and add all the user's roles
+        begin
+          if user_or_role.respond_to?(:id) && user_or_role.id.present? && defined?(Parse::Role)
+            user_roles = Parse::Role.all(users: user_or_role)
+            user_roles.each do |role|
+              permissions_to_check << "role:#{role.name}" if role.respond_to?(:name) && role.name.present?
+            end
+          end
+        rescue => e
+          # If role fetching fails, continue with just the user ID
+        end
+
+        # Check if any of the user's permissions (user ID or roles) are owners
+        # Use array checking logic (OR)
+        return owner?(permissions_to_check) if permissions_to_check.any?
+        return false
+      end
+
+      # Single string value - check directly
       key = normalize_permission_key(user_or_role)
       return false unless key
       perm = permissions[key]

lib/parse/query.rb

@@ -3338,7 +3338,9 @@ def execute_date_aggregation(operation, aggregation_expr)
       # Add match stage if there are where conditions
       compiled_where = @query.send(:compile_where)
       if compiled_where.present?
-        stringified_where = @query.send(:convert_dates_for_aggregation, JSON.parse(compiled_where.to_json))
+        # Convert field names for aggregation context and handle dates
+        aggregation_where = @query.send(:convert_constraints_for_aggregation, compiled_where)
+        stringified_where = @query.send(:convert_dates_for_aggregation, aggregation_where)
         pipeline.unshift({ "$match" => stringified_where })
       end
 

lib/parse/query/constraints.rb

@@ -1125,9 +1125,18 @@ def build
           # Handle pointer to User or Role
           if value.respond_to?(:parse_class) && (value.parse_class == "User" || value.parse_class == "_User")
             permissions_to_check << value.id if value.respond_to?(:id) && value.id.present?
-            
-            # For user pointers, we could optionally fetch the full user and their roles
-            # but that would require additional queries, so for now just use the ID
+
+            # Query roles directly using the user pointer (no need to fetch the full user)
+            begin
+              if value.respond_to?(:id) && value.id.present? && defined?(Parse::Role)
+                user_roles = Parse::Role.all(users: value)
+                user_roles.each do |role|
+                  permissions_to_check << "role:#{role.name}" if role.respond_to?(:name) && role.name.present?
+                end
+              end
+            rescue => e
+              # If role fetching fails, continue with just the user ID
+            end
           elsif value.respond_to?(:parse_class) && (value.parse_class == "Role" || value.parse_class == "_Role")
             # For role pointers, we need the role name, but we only have the ID
             # We'd need to fetch the role to get its name, so for now skip this
@@ -1261,9 +1270,18 @@ def build
           # Handle pointer to User or Role
           if value.respond_to?(:parse_class) && (value.parse_class == "User" || value.parse_class == "_User")
             permissions_to_check << value.id if value.respond_to?(:id) && value.id.present?
-            
-            # For user pointers, we could optionally fetch the full user and their roles
-            # but that would require additional queries, so for now just use the ID
+
+            # Query roles directly using the user pointer (no need to fetch the full user)
+            begin
+              if value.respond_to?(:id) && value.id.present? && defined?(Parse::Role)
+                user_roles = Parse::Role.all(users: value)
+                user_roles.each do |role|
+                  permissions_to_check << "role:#{role.name}" if role.respond_to?(:name) && role.name.present?
+                end
+              end
+            rescue => e
+              # If role fetching fails, continue with just the user ID
+            end
           elsif value.respond_to?(:parse_class) && (value.parse_class == "Role" || value.parse_class == "_Role")
             # For role pointers, we need the role name, but we only have the ID
             # We'd need to fetch the role to get its name, so for now skip this