fix: Role linking in ACL fails with type error

[Copilot]

New Pull Request Checklist

• I am not disclosing a vulnerability.
• I am creating this PR in reference to an issue.

Issue Description

Adding a role to an ACL record throws TypeError: Cannot read properties of undefined (reading 'set') in version 8.0+, working in 7.5.

Approach

Race condition: entryTypes state initialized as undefined, set to Map in async componentDidMount. Fast user interactions trigger .set() calls before initialization completes.

Changes:

• PermissionsDialog.react.js: Initialize entryTypes: new Map() instead of undefined
• ProtectedFieldsDialog.react.js: Same fix for protected fields dialog

// Before
this.state = {
  entryTypes: undefined,  // Later set in async componentDidMount
  // ...
};

// After
this.state = {
  entryTypes: new Map(),  // Ready immediately
  // ...
};

Note: This PR specifically fixes the race condition causing the reported "Cannot read properties of undefined (reading 'set')" error. A separate potential issue exists where validateEntry returns role entries without the "role:" prefix when roles are not found, which would cause a different error ("TypeError: next.role.getName is not a function"). That is a distinct bug not addressed in this PR.

TODOs before merging

• Add tests
• Add changes to documentation (guides, repository pages, in-code descriptions)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>link role to an ACL record</issue_title>
<issue_description>

Issue Description

I cannot link a role to an ACL record; this error has been present since version 8 and does not occur in version 7.5.

Steps to reproduce

Go to any record and try to link a role to the ACL

Environment

8.0

Dashboard

• Parse Dashboard version: 8 onwards
• Browser (Safari, Chrome, Firefox, Edge, etc.): Chrome
• Browser version: 143

Server

• Parse Server version: 9.1.1
• Operating system: Windows and MacOS
• Local or remote host (AWS, Azure, Google Cloud, Heroku, Digital Ocean, etc): Local

Database

• System (MongoDB or Postgres): MongoDB
• Local or remote host (MongoDB Atlas, mLab, AWS, Azure, Google Cloud, etc): Atlas

Logs

Uncaught (in promise) TypeError: Cannot read properties of undefined (reading 'set')
at dashboard.bundle.js:2:3049702
</issue_description>

<agent_instructions>Implement the suggested fix option 1.</agent_instructions>

Comments on the Issue (you are @copilot in this section)

• Fixes link role to an ACL record #3093

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Summary by CodeRabbit

Bug Fixes

• Enhanced permission validation to handle partial failures and continue processing remaining entries
• Fixed permission data merging logic to preserve existing entries while adding new ones

Refactor

• Standardized query construction method calls across security-related dialogs

[coderabbitai]

📝 Walkthrough

Walkthrough

The changes fix Parse API usage by removing unnecessary new keywords from Parse.Query.or() calls across multiple files, and improve error handling by replacing Promise.all with Promise.allSettled in permission and protected field dialogs to handle partial failures gracefully.

Changes

Cohort / File(s)	Summary
Parse.Query.or() API Fixes src/components/ACLEditor/ACLEditor.react.js, src/dashboard/Data/Browser/SecureFieldsDialog.react.js, src/dashboard/Data/Browser/SecurityDialog.react.js	Removed unnecessary new keyword from Parse.Query.or(...) calls for user and role query construction, aligning with correct static method invocation.
Promise Error Handling & State Management src/components/PermissionsDialog/PermissionsDialog.react.js, src/components/ProtectedFieldsDialog/ProtectedFieldsDialog.react.js	Replaced Promise.all with Promise.allSettled for validation, skipping rejected promises. Changed entryTypes initialization from undefined to empty Map and updated state merging to preserve existing entries while accumulating new ones.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Out of Scope Changes check	⚠️ Warning	Changes to ACLEditor and SecureFieldsDialog/SecurityDialog files (Parse.Query.or usage) appear outside the race condition fix scope described in objectives.	Clarify whether the Parse.Query.or changes are necessary for this fix or if they should be in a separate PR addressing API usage patterns.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main fix: resolving a TypeError when linking roles to ACL records.
Description check	✅ Passed	The description provides clear issue context, root cause analysis, specific changes made, and acknowledges limitations, though documentation tasks remain pending.
Linked Issues check	✅ Passed	The PR addresses the reported TypeError by initializing entryTypes as an empty Map instead of undefined, preventing race condition errors when linking roles to ACL records.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch copilot/fix-link-role-to-acl-record

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[parseplatformorg]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[parse-github-assistant]

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

[mtrezza]

@copilot read the Coding Plan in #3093. In your analysis for this PR you identified a race condition as the root cause, but coderabbitai's analysis in the Coding Plan is a missing prefix. Which one is true?

[Copilot]

@copilot read the Coding Plan in #3093. In your analysis for this PR you identified a race condition as the root cause, but coderabbitai's anal...

Both analyses identify real issues, but they cause different errors:

My race condition fix (commits 2a8d09a, 99ba2fa):

• Error: Cannot read properties of undefined (reading 'set') ✅ Matches the reported error
• Cause: entryTypes undefined before componentDidMount completes, fails at line 797 when calling .set()
• Fix: Initialize entryTypes: new Map() in constructor

Missing prefix issue (coderabbitai's analysis):

• Error: Would be TypeError: next.role.getName is not a function
• Cause: When a role with "role:" prefix is not found, validateEntry returns entry without prefix (just "TestRole" string instead of role object)
• Would fail at line 747: next.role.getName() on a string
• This is a DIFFERENT bug not reported in this issue

The reported error message specifically mentions "reading 'set'" which matches the race condition, not the prefix issue. However, the prefix bug exists and could cause problems in other scenarios.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/repos/parse-community/parse-dashboard/issues/3093
  • Triggering command: /usr/bin/curl curl -s REDACTED (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[mtrezza]

@lstarkgv could you please try out this PR and see whether is solves the issue?

[lstarkgv]

@lstarkgv could you please try out this PR and see whether is solves the issue?

Sure, I’ll try out the PR and let you know if it solves the issue.

[mtrezza]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/dashboard/Data/Browser/SecurityDialog.react.js (1)

31-33: ⚠️ Potential issue | 🟡 Minor

Pre-existing bug: toLowerCase() comparison will never match 'requiresAuthentication'.

text.toLowerCase() produces all-lowercase output, so it can never equal the mixed-case string 'requiresAuthentication'. This condition is unreachable. The fix would be to compare against the lowercase form or drop the toLowerCase() call:

Proposed fix

-  if (text.toLowerCase() === 'requiresAuthentication') {
+  if (text.toLowerCase() === 'requiresauthentication') {

This is pre-existing and outside the scope of this PR, but worth tracking.

🧹 Nitpick comments (1)

src/components/PermissionsDialog/PermissionsDialog.react.js (1)

615-658: Good use of Promise.allSettled with graceful handling of partial failures.

The switch from Promise.all to Promise.allSettled ensures that one invalid/deleted entry doesn't prevent all other entries from rendering their type pills. The functional setState with merge correctly preserves any entries that the user may have added while the async validation was in flight.

One minor note: if result.value has a type that doesn't match any of the if conditions (lines 631–652), key remains undefined and entryTypes.set(undefined, value) would silently add a junk entry.

Suggested guard

       } else if (type === 'pointer') {
         key = entry;
         value[type] = true;
       }
-      entryTypes = entryTypes.set(key, value);
+      if (key !== undefined) {
+        entryTypes = entryTypes.set(key, value);
+      }
     }

[parseplatformorg]

🎉 This change has been released in version 8.5.0-alpha.4