Parse ACL limit write on current user instance from current user - javascript

I have a _User class on parse for my application and i want to make it so that its ACL restricts writing from everywhere expect cloud code (W/ master key). The user has a "Verified" boolean column acknowledging weather they are a verified user or not. I do not want them to be able to log in, mess with the javascript, and write themselves in as "verified". I wrote this code but it wont work. Any suggestions?
Parse.Cloud.afterSave("_User", function(request, response) {
request.object.set("verifiedCritic",false);
var publicReadACL = new Parse.ACL();
publicReadACL.setPublicWriteAccess(false);
publicReadACL.setWriteAccess(request.object.id,false);
request.object.setACL(publicReadACL);
request.object.save();
response.success();
});

http://parse.com/docs/js/symbols/Parse.ACL.html#setReadAccess
check "setPublicREAD|WRITEAccess()" and use that in addition to the method you have for an individual user.ID.
When first created or when updated, IMO you want :
PubREAD TRUE
PubWrite FALSE
AND
Write ( thatUsserID, TRUE )
Then with the above and no other additional accretive assess in the array for the ACL , you should get the result that u want in cloud code after issuing "use_master_key" ...
After you create a user, can u use the databrowser to copy/paste the ACL column so that you can verify you have the correct collection of permissions? Then do your updating and the Cloudcode stuff.

Related

Parse Query Include method not including all data expected

I am doing a query onto a class where I have a pointer to a User.
I do query.include('byUser') and when I log out the query result it's shown but when I try to get a specific attribute like email. It doesnt exist.
I also first thought it was odd that I have to get the User details by doing:
const userDetails = query.get("byUser").attributes;
Do I have to do .attributes? And also why isn't the email showing up. Everything else seems to show up in the attributes section.
Thanks
Please note that in parse, you can not query the email field of other users. you can see the email field only if you are the signed in user. This is a security mechanism.
A. If you want to get the email field for a user object, you can do two things:
Pass the user session token to the query.
new Parse.Query(Parse.User).get(<userId>,{sessionToken:<userSessionToken>});
Use master key. (Note: You have to set the master key before.)
new Parse.Query(Parse.User).find({useMasterKey:true});
B. Your include method is correct and it it will fetch the byUser object. You do not need to use .attributes.
UPDATE:
You can also set a publicEmail field in your User class which will not be filtered out by parse-server. to automate this, you can write a cloud code.
Cloud Code Example (on parse-server V 3.0.0 and above):
PLEASE NOTE THAT YOU CAN NOT USE ASYNC FUNCTIONS FOR PARSE-SERVER < V 3.0.0
Parse.Cloud.beforeSave(Parse.User, async req=>{
if (!req.original && !req.master && req.object.get('email')){
req.object.set('publicEmail',req.object.get('email'));
}
})
Now, if new user sign up, this cloud code will automatically adds a new field to the user object publicEmail which is not filtered by parse-server.

Modifying array property of PFUser - Parse

I have an array property called courses on my User table in Parse. Any idea why I might getting Cannot modify user XTC9aiDZlL. code=206, message=Cannot modify user XTC9aiDZlL. when I do the following:
user.remove('courses', deletedCourse);
user.save()
where deleteCourse is the course PFObject to delete
Are you signed in as the user you're trying to modify? That can cause problems like this, as Parse usually just lets a user modify themself & the objects they've created.
If you're signed in as the same user you're trying to edit that's another story. This is a glitch that seems to be popping up in the Parse server recently. It's not the best solution but for now you'll need to modify the ACL when you create the user, like this:
let user = PFUser()
let acl = PFACL()
acl.getPublicWriteAccess = true
acl.getPublicReadAccess = true
user.acl = acl

get foreignId Data from the feed of a user [Stream Js]

hi i'm trying to implement getstream.io in my project.
i'm using https://github.com/GetStream/stream-js
as my server side script is in nodeJS.
i'm able to create a user in feed using
user1 = client.feed('user', 'dpz');
i'm creating activity for this user using using
activity ={
"actor":"user:1",
"message": "#flat_4_bfcaffca-c35f-11e5-8080-8001002e75f6",
"verb":"tweet",
"object":"tweet:4",
"foreign_id": "flat:4"
};
user1.addActivity(activity);
if i want to get all records of that user,
i use
user1.get()
.then(function(body) { console.log(JSON.stringify(body)); })
.catch(function(reason) { console.log(JSON.stringify(reason.error));});
i get result as :
{"duration":"19ms",
"next":"",
"results":[{
"actor":"user:1",
"foreign_id":"flat:4",
"id":"41231d40-ca5a-11e5-8080-800047dac62a",
"message":"#flat_4_bfcaffca-c35f-11e5-8080-8001002e75f6",
"object":"tweet:4",
"origin":null,
"target":null,
"time":"2016-02-03T09:41:09.335584",
"to":[],
"verb":"tweet"
}]
}
in your rest_ documentation
https://getstream.io/docs_rest/#feed_detail
you have specified
feed/(feed_slug)/(user_id)/(activity_id|foreign_id)/
to delete an activity for if the foreign key matches criteria.
in your nodejs code
user1.removeActivity({foreignId: 'flat:4'})
line works to remove the feed for that user where foreign key is flat:4
user1.get({foreignId: 'flat:4'})
does not work
can you please help if i want to get feeds with the foreignId as 'flat:4'
is there any way for such ?
please help as i'm stuck on this point only.
The feed/(feed_slug)/(user_id)/(activity_id|foreign_id)/ endpoint is only for DELETE requests. At this present is not possible to retrieve activities by its foreign_id. That field can only be used to perform cascaded deletion and/or to define the uniqueness of your data.
Looking at the code that you added, it seems like to use references to feeds as the value for foreign_ids, if that's the case then you are probably using this field in a weird/wrong way and you should create a new question on SO to ask help with the integration of your data.

Meteor - Allow multiple users to edit a post

I'm not able to use the node server debugger so I'm posting here to see if I can get a nudge in the right direction.
I am trying to allow multiple users to edit documents created by any of the users within their specific company. My code is below. Any help would be appreciated.
(Server)
ComponentsCollection.allow({
// Passing in the user object (has profile object {company: "1234"}
// Passing in document (has companyId field that is equal to "1234"
update: function(userObject, components) {
return ownsDocument(userObject, components);
}
});
(Server)
// check to ensure user editing document created/owned by the company
ownsDocument = function(userObject, doc) {
return userObject.profile.company === doc.companyId;
}
The error I'm getting is: Exception while invoking method '/components/update' TypeError: Cannot read property 'company' of undefined
I'm trying to be as secure as possible, though am doing some checks before presenting any data to the user, so I'm not sure if this additional check is necessary. Any advice on security for allowing multiple users to edit documents created by the company would be awesome. Thanks in advance. -Chris
Update (solution):
// check that the userId specified owns the documents
ownsDocument = function(userId, doc) {
// Gets the user form the userId being passed in
var userObject = Meteor.users.findOne(userId);
// Checking if the user is associated with the company that created the document being modified
// Returns true/false respectively
return doc.companyId === userObject.profile.companyId;
}
Looking at the docs, it looks like the first argument to the allow/deny functions is a user ID, not a user document. So you'll have to do Meteor.users.findOne(userId) to get to the document first.
Do keep in mind that users can write to their own profile subdocument, so if you don't disable that, users will be able to change their own company, allowing them to edit any post. You should move company outside of profile.
(If you can't use a proper debugger, old-fashioned console.log still works. Adding console.log(userObject) to ownsDocument probably would have revealed the solution.)

Anonymous Users with Parse SDK

I'm aware that Parse.com does not support Anonymous Users for the Javascript SDK which is what I'm using now. I've asked a Parse staff member what an alternative for those using the Parse Javascript SDK and want to have something like the Anonymous User feature offered for the Parse ios SDK might be. I was told by the Parse staff member: "This is not officially supported yet, but you might be able to implement something similar by generating a random username and password that is stored in localStorage for this user". Now, right now, the following code allows me to save information to my Parse database
var MYObject = Parse.Object.extend("MYObject");
var myObject = new MYObject();
var SomeStuff = "Test";
myObject.set("RECORD",SomeStuff);
myObject.save(null, { success: function(myObject)
{ //alert alert('New object created with objectId: ' + myObject.id); }
This creates a new class then adds "RECORD" and "Test". It works. Yet this is saved without needing a username or password at all. I'm wondering why just allowing users to save data like that can't be sufficient instead of having the Anonymous User feature Parse offers or in my case, an alternative solution for the Anonymous User feature since Anonymous User is not supported by the Parse Javascript SDK which is what I'm using. Is the reason the Anonymous User feature offered in the first place a matter of security? Should I resort to the alternative solution given to me by Parse staff or is it unnecessary?
can you just generate a 'random' or a 'guid' and then plug that into User.username with password&email undefined... On the insert of that user, you have a valid Parse.User object that is anonymous. The return from the User.insert() is 'token' which never expire. You can use cookie to store the {"token":val, "username":val}.
Without a passwd, you never log the user in and will always be forced to call cloudcode where you can pass in the user's token (-H "X-Parse-Session-Token: rcid...") in place of a validated session established with 'login'.
I've used this technique in REST API where i want to onboard users without any input to text fields. They provide no info , only agreeing to use an anonymous cloud account.
I know this answer is very late, but it's relevant because nothing has changed. There is no Class for Anonymous users in the Parse JS SDK.
The reason why you can create, save, edit and delete objects without having an User Session is because you can create objects that anyone can use; I.E, "Public Objects". You can set ACL credentials on these objects as well, but you will not be associating new objectsIds with userObjectIds and therefore will only be able to update said objects in Cloud Code using your apps MasterKey.
var Foo = Parse.Object.extend("Foo");
var foo = new Foo();
foo.set("message", "Hello Foo");
foo.save().then(function(foo){
//foo was saved
//anyone can edit it right now
//make it disappear into a black hole
//in other words, nobody can edit without Master Key
var acl = new Parse.ACL();
acl.setPublicReadAccess(false); //nobody can read it
acl.setPublicWriteAccess(false);//nobody can write it
foo.setACL(acl);
return foo.save();
}).then(function(foo){
//since foo was returned, we can still read it, but
//we cannot edit it anymore...
foo.set("message", "cannot update without Master Key");
return foo.save();
}).then(function(foo){
//this will not run
}, function(error){
//catch error for cannot update foo
log(error);
});
In this example, I start off by creating the Foo object. Then I update the message column and save it. The saved object is returned and I create an ACL that will prevent anyone for reading and writing to Foo. Then I set Foos ACL and save it again. The saved object is returned and I try to update the message column again. This time an error occurs and the error callback logs the error. This happens because I cannot update foo anyone, unless I use the Master Key and that must take place in Cloud Code.
Parse.Cloud.useMasterKey();
foo.save().then.... //after second return of foo.save() above

Categories

Resources