I'm aware that Parse.com does not support Anonymous Users for the Javascript SDK which is what I'm using now. I've asked a Parse staff member what an alternative for those using the Parse Javascript SDK and want to have something like the Anonymous User feature offered for the Parse ios SDK might be. I was told by the Parse staff member: "This is not officially supported yet, but you might be able to implement something similar by generating a random username and password that is stored in localStorage for this user". Now, right now, the following code allows me to save information to my Parse database
var MYObject = Parse.Object.extend("MYObject");
var myObject = new MYObject();
var SomeStuff = "Test";
myObject.set("RECORD",SomeStuff);
myObject.save(null, { success: function(myObject)
{ //alert alert('New object created with objectId: ' + myObject.id); }
This creates a new class then adds "RECORD" and "Test". It works. Yet this is saved without needing a username or password at all. I'm wondering why just allowing users to save data like that can't be sufficient instead of having the Anonymous User feature Parse offers or in my case, an alternative solution for the Anonymous User feature since Anonymous User is not supported by the Parse Javascript SDK which is what I'm using. Is the reason the Anonymous User feature offered in the first place a matter of security? Should I resort to the alternative solution given to me by Parse staff or is it unnecessary?
can you just generate a 'random' or a 'guid' and then plug that into User.username with password&email undefined... On the insert of that user, you have a valid Parse.User object that is anonymous. The return from the User.insert() is 'token' which never expire. You can use cookie to store the {"token":val, "username":val}.
Without a passwd, you never log the user in and will always be forced to call cloudcode where you can pass in the user's token (-H "X-Parse-Session-Token: rcid...") in place of a validated session established with 'login'.
I've used this technique in REST API where i want to onboard users without any input to text fields. They provide no info , only agreeing to use an anonymous cloud account.
I know this answer is very late, but it's relevant because nothing has changed. There is no Class for Anonymous users in the Parse JS SDK.
The reason why you can create, save, edit and delete objects without having an User Session is because you can create objects that anyone can use; I.E, "Public Objects". You can set ACL credentials on these objects as well, but you will not be associating new objectsIds with userObjectIds and therefore will only be able to update said objects in Cloud Code using your apps MasterKey.
var Foo = Parse.Object.extend("Foo");
var foo = new Foo();
foo.set("message", "Hello Foo");
foo.save().then(function(foo){
//foo was saved
//anyone can edit it right now
//make it disappear into a black hole
//in other words, nobody can edit without Master Key
var acl = new Parse.ACL();
acl.setPublicReadAccess(false); //nobody can read it
acl.setPublicWriteAccess(false);//nobody can write it
foo.setACL(acl);
return foo.save();
}).then(function(foo){
//since foo was returned, we can still read it, but
//we cannot edit it anymore...
foo.set("message", "cannot update without Master Key");
return foo.save();
}).then(function(foo){
//this will not run
}, function(error){
//catch error for cannot update foo
log(error);
});
In this example, I start off by creating the Foo object. Then I update the message column and save it. The saved object is returned and I create an ACL that will prevent anyone for reading and writing to Foo. Then I set Foos ACL and save it again. The saved object is returned and I try to update the message column again. This time an error occurs and the error callback logs the error. This happens because I cannot update foo anyone, unless I use the Master Key and that must take place in Cloud Code.
Parse.Cloud.useMasterKey();
foo.save().then.... //after second return of foo.save() above
Related
I have an array property called courses on my User table in Parse. Any idea why I might getting Cannot modify user XTC9aiDZlL. code=206, message=Cannot modify user XTC9aiDZlL. when I do the following:
user.remove('courses', deletedCourse);
user.save()
where deleteCourse is the course PFObject to delete
Are you signed in as the user you're trying to modify? That can cause problems like this, as Parse usually just lets a user modify themself & the objects they've created.
If you're signed in as the same user you're trying to edit that's another story. This is a glitch that seems to be popping up in the Parse server recently. It's not the best solution but for now you'll need to modify the ACL when you create the user, like this:
let user = PFUser()
let acl = PFACL()
acl.getPublicWriteAccess = true
acl.getPublicReadAccess = true
user.acl = acl
Ok...I'm new to this >.<
I have my npm from github.com (node-twitterbot...whose dependency is twit)
I've looked at the twitter api..
What I'm trying to do is add an action which is post a tweet.
I can't seem to find out how to define the string for the actionName (which might be...)
var tweet = ("https://api.twitter.com/1.1/statuses/update.json");
and the actionFunction. Then I need to put it all together to post. Also, I have my instructions written below, however I'm not sure how to apply them. My actionName could be "tweet"? I have no idea how to define my actionFunction either...Can someone explain this? I NEED TO KNOW WHAT TO PUT WHERE. I have the twitterbot.js file open and ready to edit along with with all my oauth keys...access and consumer stuff. Please help anyway you can. I can paste my twitterbot.js file if that helps. Below are the instructions on the npm site reads:
Actions
In order to get your node-twitterbot to actually do something, you need to define actions. It is done through the addAction() method. It takes 2 parameters:
actionName: a string value for the name of an action
actionFunction: a function to be called when a given action is scheduled. (See below for method signature)
So our addAction method might look like this:
Bot.addAction("tweet", function(twitter, action, tweet) {
Bot.tweet("I'm posting a tweet!");
});
The twitter variable passed into the function is the Twit object associated with a given node-twitterbot, and can be managed directly. The same Twit object is available as [TwitterBot].twitter as well.
The action variable passed into the function is the TwitterBotAction created by addAction.
And the tweet object is the tweet passed into the action (if there was one)
TwitterBotActions
addAction() returns a TwitterBotAction object.
var tweetAction = Bot.addAction("tweet", function(twitter, action, tweet) {
Bot.tweet("I'm posting a tweet!");
});
But you will rarely need to directly hold onto the tweetAction directly. You can always get a reference to the action by calling
Bot.actionWithName("tweet");
Which will return the TwitterBotAction object, or null if the name is invalid (or the action already removed)
Again, I'm trying to put all of this together so i can post a tweet using the javascript in node.js Thank you for your time and consideration.
I'm not able to use the node server debugger so I'm posting here to see if I can get a nudge in the right direction.
I am trying to allow multiple users to edit documents created by any of the users within their specific company. My code is below. Any help would be appreciated.
(Server)
ComponentsCollection.allow({
// Passing in the user object (has profile object {company: "1234"}
// Passing in document (has companyId field that is equal to "1234"
update: function(userObject, components) {
return ownsDocument(userObject, components);
}
});
(Server)
// check to ensure user editing document created/owned by the company
ownsDocument = function(userObject, doc) {
return userObject.profile.company === doc.companyId;
}
The error I'm getting is: Exception while invoking method '/components/update' TypeError: Cannot read property 'company' of undefined
I'm trying to be as secure as possible, though am doing some checks before presenting any data to the user, so I'm not sure if this additional check is necessary. Any advice on security for allowing multiple users to edit documents created by the company would be awesome. Thanks in advance. -Chris
Update (solution):
// check that the userId specified owns the documents
ownsDocument = function(userId, doc) {
// Gets the user form the userId being passed in
var userObject = Meteor.users.findOne(userId);
// Checking if the user is associated with the company that created the document being modified
// Returns true/false respectively
return doc.companyId === userObject.profile.companyId;
}
Looking at the docs, it looks like the first argument to the allow/deny functions is a user ID, not a user document. So you'll have to do Meteor.users.findOne(userId) to get to the document first.
Do keep in mind that users can write to their own profile subdocument, so if you don't disable that, users will be able to change their own company, allowing them to edit any post. You should move company outside of profile.
(If you can't use a proper debugger, old-fashioned console.log still works. Adding console.log(userObject) to ownsDocument probably would have revealed the solution.)
I have a _User class on parse for my application and i want to make it so that its ACL restricts writing from everywhere expect cloud code (W/ master key). The user has a "Verified" boolean column acknowledging weather they are a verified user or not. I do not want them to be able to log in, mess with the javascript, and write themselves in as "verified". I wrote this code but it wont work. Any suggestions?
Parse.Cloud.afterSave("_User", function(request, response) {
request.object.set("verifiedCritic",false);
var publicReadACL = new Parse.ACL();
publicReadACL.setPublicWriteAccess(false);
publicReadACL.setWriteAccess(request.object.id,false);
request.object.setACL(publicReadACL);
request.object.save();
response.success();
});
http://parse.com/docs/js/symbols/Parse.ACL.html#setReadAccess
check "setPublicREAD|WRITEAccess()" and use that in addition to the method you have for an individual user.ID.
When first created or when updated, IMO you want :
PubREAD TRUE
PubWrite FALSE
AND
Write ( thatUsserID, TRUE )
Then with the above and no other additional accretive assess in the array for the ACL , you should get the result that u want in cloud code after issuing "use_master_key" ...
After you create a user, can u use the databrowser to copy/paste the ACL column so that you can verify you have the correct collection of permissions? Then do your updating and the Cloudcode stuff.
I was wondering if there is a way to declare an object property as a function, but also as an object, at the same time.
I have a JavaScript program that provides a simple API that sends AJAX requests to a server. My goal is trying to make this API as simple and human-readable as possible.
Basically, I'd like to make it possible to do this:
var app = new App();
app.get.client(123) // Get client ID 123
app.get.client.list() // Get an array of all clients
app.login('username', 'password') // Send credentials to log as username/password
app.login.as('John') // Login using credentials stored in a server-side constant
I doubt that's even possible as I've never anything like it, but I can't think of a more clear and human-readable way to lay out methods. Sure would be nice!
A function’s an object too!
app.get.client = function(id) {
// Get client by ID
};
app.get.client.list = function() {
// List them
};
works as you’d expect.
Personally, though, I’d find:
app.clients.byId(123)
app.clients
app.login('username', 'password')
app.loginAs('John')
more readable.