Parse-server: Permission denied for this action saving object through cloud code

Created on 25 Apr 2016  路  10Comments  路  Source: parse-community/parse-server

Check out this issue for an ideal bug report. The closer your issue report is to that one, the more likely we are to be able to help, and the more likely we will be to fix the issue quickly!

For implementation related questions or technical support, please refer to the Stack Overflow and Server Fault communities.

Make sure these boxes are checked before submitting your issue -- thanks for reporting issues back to Parse Server!

Environment Setup

stand alone installation using express on CentOS behind nginx set-up as reversed proxy.
Parse-server version : 2.2.7
parse-dashboard version: 1.0.8
Mongo-db version: 3.2.3

Steps to reproduce

1) Create new class via dashboard (Test)
-> class level permissions are blank at this time
2) Set all class level permissions (read, write, add) public
-> mongo db document:

  {
"_id" : "Test",
"objectId" : "string",
"updatedAt" : "string",
"createdAt" : "string",
"_metadata" : {
    "class_permissions" : {
        "get" : {
            "*" : true
        },
        "find" : {
            "*" : true
        },
        "create" : {
            "*" : true
        },
        "update" : {
            "*" : true
        },
        "delete" : {
            "*" : true
        },
        "addField" : {
            "*" : true
        }
    }
}

}

3) try to add new document via cloud function 

Parse.Cloud.define("sendTest", function(request, response) {
      var Test = Parse.Object.extend('Test');
      var newTest = new Test();
      newTest.save().then( .....

curl:

curl -X POST \
-H "X-Parse-Application-Id: XXXXXXXXXXXXXXXXXXXXXXXXXXX" \
-H "X-Parse-REST-API-Key: undefined" \
-H "X-Parse-Session-Token: 10LRXNxgfxDjXxy6zN5ioSXVp" \
--data-urlencode "{
\"test\": \"hWItYo37U0\"
}" \
https://www.testserver.com/functions/sendTest

4) error : 

 verbose: error: code=101, message=Permission denied for this action.
 parse-server-2 Error
 parse-server-2 verbose: error: code=141, message=Permission denied for this action.

if I use the master key in the cloud function the object is save successfully. Creating a new object via the parse-dashboard API console also works fine: curl:

curl -X POST \
-H "X-Parse-Application-Id: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" \
-H "X-Parse-REST-API-Key: undefined" \
-H "X-Parse-Session-Token: 10LRXNxgfxDjXxy6zN5ioSXVp" \
--data-urlencode "{
\"test\": \"hWItYo37U0\"
}" \
https://www.testserver.com/functions/sendTest

Logs/Trace

picture bartroelands

Most helpful comment

it didn't worked as @mbilling sample code

test.save(null, {sessionToken: request.user.getSessionToken()}).then...

notice the null before setting the sessionToken now it works.

picture johhansantana on 14 Feb 2017
👍3

All 10 comments

We have lots of passing test cases that cover these features. Can you post some code that reliably reproduces your issue? Ideally as a test case we can add to our test suite.

drew-gross picture drew-gross on 25 Apr 2016

ok, I'll see what I can cook up. I am working on this project after hours so need to find some time. One thing I noticed though today is that the class I created through the parse-dashboard did not had 'readUserField' and 'writeUserField' in the schema definition:

{
"_id" : "Test",
"objectId" : "string",
"updatedAt" : "string",
"createdAt" : "string",
"_metadata" : {
"class_permissions" : {
"get" : {
"_" : true
},
"find" : {
"_" : true
},
"create" : {
"_" : true
},
"update" : {
"_" : true
},
"delete" : {
"_" : true
},
"addField" : {
"_" : true
}
}
},
"test" : "string"
}

vs

{
"_id" : "MessageLog",
"_metadata" : {
"class_permissions" : {
"get" : {
"role:administrator" : true
},
"find" : {
"role:administrator" : true
},
"update" : {
"role:administrator" : true
},
"create" : {
"role:administrator" : true
},
"delete" : {
"role:administrator" : true
},
"addField" : {
"role:administrator" : true,
"*" : true
},
"readUserFields" : [],
"writeUserFields" : []
}
},
"referenceId" : "string",
"sendTime" : "date",
"sent" : "boolean",
"to" : "string",
"type" : "string",
"extra" : "string",
"from" : "string",
"message" : "string"
}

for an imported class from Parse.com

bartroelands picture bartroelands on 27 Apr 2016

You should set sessionToken
Read this https://github.com/ParsePlatform/parse-server/wiki/Compatibility-with-Hosted-Parse

...
test.save({sessionToken: request.user.getSessionToken()}).then ...

mbilling picture mbilling on 28 May 2016

it didn't worked as @mbilling sample code

test.save(null, {sessionToken: request.user.getSessionToken()}).then...

notice the null before setting the sessionToken now it works.

johhansantana picture johhansantana on 14 Feb 2017
👍3

how about putting such an important thing in the docs ?

muhammad-naderi picture muhammad-naderi on 29 Jul 2017

It is in the docs and the api reference

flovilmart picture flovilmart on 29 Jul 2017

I still can not find it in the docs, anyway at least one can say it is not bold enough ;)

muhammad-naderi picture muhammad-naderi on 29 Jul 2017

http://parseplatform.org/Parse-SDK-JS/api/classes/Parse.Object.html#methods_save

flovilmart picture flovilmart on 29 Jul 2017

it is your call bro, but it still is not in the docs ;)

muhammad-naderi picture muhammad-naderi on 29 Jul 2017

Feel free to open a Pr to make it more clear if you feel this should be specified more clearly.

flovilmart picture flovilmart on 29 Jul 2017
Was this page helpful?
0 / 5 - 0 ratings

Related issues

jiawenzhang picture jiawenzhang  路  4Comments
kilabyte picture kilabyte  路  4Comments
carjo422 picture carjo422  路  3Comments
jaydeep82 picture jaydeep82  路  4Comments
pulse1989 picture pulse1989  路  3Comments