Parse-server: [PROPOSAL] Add a Default User Role

Created on 1 Dec 2016 · 9Comments · Source: parse-community/parse-server

Is there a way to have a User Role by default ?
Imagine you have a class called Activities and you want to let only logged in to Users create objects in that class but only the user himself can delete or update his/her own object that he/she created.

The issue here we have to allow the (Public Create) in the CLP, which makes everybody can add a new entry in the class, but thanks to ACL only the user can delete or update his/her object, which is fine.

Expected Behavior:

CLP Public Create should not always be allowed in order to let User create object

Workaround for now

Create a new Role User and add a relation that add all users from the User class
Disallow CLP Public Create
Add a new Row in the CLP for User Role and enable Create for it

This is only example, this can apply for any other operation such delete

Here example with delete operation that doesn't work cause of CLP when Public Delete is not checked

User create an object in the activity class
This Activity has ACL set to [Public Read, Write : user_id]
User try to delete that object by calling object.destroy() or object.delete() while CLP Public Delete is not allowed
User get Permission Denied

workaround in this case

in BeforeDelete server need to call Parse.Cloud.useMasterKey() <- Bad idea!
Create a cloud function deleteObject which take the objectId and className of the object

Parse.define('deleteObject', function (req, res) {
     var Object = Parse.Object.extend(req.params.className)
     var object = Object.createWithoutData(objectId)
     // if you want you can call object.fetch() or just do
    object.destroy( { useMasterKey : true }).then( // handle responses );
    // for more security you can use sessionToken
    // object.destory({ sessionToken : req.params.sessionToken }).then( ... ) <- I didn't test this yet
});

Call that function from the client

enhancement

Source

benishak

Most helpful comment

the default User Role would not solve it either. I understand what you're trying to achieve, let me think of something.

flovilmart on 13 Apr 2017

👍2

All 9 comments

You can use a pointer permission in the CLP for that, the Pointer Permission would be read write for the user column and read only for the other.

There is also that PR that adds logged in user as a CLP: https://github.com/ParsePlatform/parse-server/pull/893

flovilmart on 1 Dec 2016

Awesome, so we will see this in 2.3.0!
Sounds good
I updated the post for more scenarios and workarounds!

Cheers

benishak on 1 Dec 2016

893 has been merged, and I believe this will address your scenarios right?

flovilmart on 3 Dec 2016

ping @benishak

flovilmart on 6 Dec 2016

👍1

I have a scenario that can not be implemented in current parse-server. If there is a default User Role like @benishak described, it could be worked.

Private Account like Instagram scenario:
If you turn the Private Account on in Instagram, your all photos will not be public read, but your followers can read them.

Here is my assuming implementation using parse-server:

There is a User Role (include all users)
There are Follower Roles for each user. Each Follower Role contains:
2a. users: all followers
2b. roles: User Role

Then if user turn the Private Account on, we can just remove User Role from Follower Role. On the other hand, if your turn the Private Account off, we just add User Role back to Follower Role.

ananfang on 13 Apr 2017

Not sure why you need that, there is now the requireAuthentication CLP, which basically let you restrict access to only logged in users.

flovilmart on 13 Apr 2017

@flovilmart
For example, there is a class Photo, every user can create photo just like Instagram.

There is a feature called Private Account. If any user turn this on, his/her photos will be queried only if the request is from his/her followers.

There is a workaround way currently, ACL of all photos from one user are public read while Private Account is OFF. If Private Account is ON, disable all photos public read and set read access for a Role called 'followersOf(userId)' contained all followers of this user.

The cons of this workaround is we need to fetch all photos from this user while he / she switch Private Account ON/OFF, and change these photos' ACL.

Ps. It could not be done by the requireAuthentication CLP, because it should affect just some specific users' photos, not all objects in Photo class.

ananfang on 13 Apr 2017

the default User Role would not solve it either. I understand what you're trying to achieve, let me think of something.

flovilmart on 13 Apr 2017

👍2

requiresAuthentication feature looks awesome!

benishak on 8 May 2017

Was this page helpful?

0 / 5 - 0 ratings