Parse-server: Sessions being created with public read and write ACL

Created on 26 Apr 2016 · 2Comments · Source: parse-community/parse-server

Check out this issue for an ideal bug report. The closer your issue report is to that one, the more likely we are to be able to help, and the more likely we will be to fix the issue quickly!

For implementation related questions or technical support, please refer to the Stack Overflow and Server Fault communities.

Make sure these boxes are checked before submitting your issue -- thanks for reporting issues back to Parse Server!

[x] You've met the prerequisites.
[x] You're running the latest version of Parse Server.
[x] You've searched through existing issues. Chances are that your issue has been reported or resolved before.

Environment Setup

Steps to reproduce

Using Parse.User.logIn(username,pwd) in Cloud Code is creating Sessions correctly, but those session objects are created with no ACL. See Session object created below:

{
            "objectId": "OwqhHsTza2",
            "sessionToken": "r:token",
            "user": {
                "__type": "Pointer",
                "className": "_User",
                "objectId": "f0EAbbFSUH"
            },
            "createdWith": {
                "action": "login",
                "authProvider": "password"
            },
            "restricted": false,
            "expiresAt": {
                "__type": "Date",
                "iso": "2017-04-25T22:19:45.254Z"
            },
            "installationId": "c6cc7806-6d45-f2ab-2589-d9a19381e34d",
            "updatedAt": "2016-04-25T22:19:45.254Z",
            "createdAt": "2016-04-25T22:19:45.254Z"
        }

Looking through the code, I am wondering if it is because it looks like session objects are created using the Auth.master:

 let create = new RestWrite(req.config, Auth.master(req.config), '_Session', null, sessionData);

This then runs through the list of Rest Write functions starting with getUserAndRoleACL, which returns empty if run as master?

RestWrite.prototype.getUserAndRoleACL = function() {
  if (this.auth.isMaster) {
    return Promise.resolve();
  }

Logs/Trace

Source

oli107

Most helpful comment

That is correct, session security is handled through non-ACL means.

drew-gross on 27 Apr 2016

👍8

All 2 comments

It looks like a session token is still required to read sessions though:

$ curl -X GET -H "X-Parse-Application-Id: myAppId" http://localhost:1337/parse/sessions
{"code":209,"error":"This session token is invalid."}

And I was unable to read any other sessions than the one that belonged to me when i did add the X-Parse-Session-Token header.

https://parse.com/docs/rest/guide#sessions-querying-sessions

rob-64 on 27 Apr 2016

That is correct, session security is handled through non-ACL means.

drew-gross on 27 Apr 2016

👍8

Was this page helpful?

0 / 5 - 0 ratings

Related issues

Parse issue in Swift 3

carjo422 · 3Comments

Using PostgreSQL10 to install Parse Server, add configuration items, there is an error.

dovewi · 3Comments

CLP pointer permissions

dcdspace · 3Comments

Invalid File URL

kilabyte · 4Comments

FCM Device Token Field Blank (Android)

pulse1989 · 3Comments