Parse-server: `useMasterKey: false` prevents access to object

Created on 8 Jul 2017 · 11Comments · Source: parse-community/parse-server

Issue Description

When querying for an object with useMasterKey: false the result is No object found even though the querying user has read access right to it.

Steps to reproduce

Create a new class
Create an object
Set the objects's ACL to publicReadAccess: false, publicWriteAccess: false and give one user read access rights.
Create a cloud code function that executes a query for that object:

let query = new Parse.Query("ExampleClass");
return query.get(request.params.id, {useMasterKey: false})

Expected Results

The result is "ParseError: 101 No object found."

Actual Outcome

The result should be the queried object.
Querying without {useMasterKey: false} returns the object successfully.

Environment Setup

Server
- parse-server version (Be specific! Don't say 'latest'.) : 2.5.3

Source

mtrezza

Most helpful comment

@flovilmart Thanks for the link, all clear now. Thanks @natanrolnik for clarifying.

mtrezza on 15 Jul 2017

👍2

All 11 comments

You need to specify the users session token

let query = new Parse.Query("ExampleClass");
let options = {
  useMasterKey: false,
  sessionToken: request.user.getSessionToken(),
};
return query.get(request.params.id, options)

Gyran on 12 Jul 2017

@mtrezza - the answer provided by @Gyran seems correct. Can you please test and let us know if it indeed solved your issue?

natanrolnik on 12 Jul 2017

That seems counter intuitive to me, if I don't set 'useMasterKey' I assume it defaults to 'false'. Why would I expect a different behavior when I explicitly set it to 'false'?

mtrezza on 12 Jul 2017

@mtrezza if the object is protected to be fetched only by that user, how is the server supposed to know that the request is in behalf of that user?

Does the following work at all?

let query = new Parse.Query("ExampleClass");
return query.get(request.params.id)

natanrolnik on 12 Jul 2017

@mtrezza you actually don't need to set useMasterKey to false - that's the default. Passing only the sessionToken should be enough.

natanrolnik on 12 Jul 2017

👍1

@mtrezza I'm closing this considering that, if you set the objects ACL, you must pass the session token to the query, and this is the expected behavior. You don't need to pass the useMasterKey at all, only if you are querying as the "server", the app "owner". If it's a cloud function and the user is calling it, you can get the session token withrequest.user.getSessionToken().

Hope it helps.

natanrolnik on 14 Jul 2017

@natanrolnik That is exactly my point. It is not necessary to set the useMasterKey: false because it is the default value. Since it IS the default value, the query results should not change when setting the default value explicitly with useMasterKey: false. That seems counter-intuitive and can make it difficult to debug.

As for your question if it works without useMasterKey, as I wrote in my post, "Querying without {useMasterKey: false} returns the object successfully."

I am only referring to Cloud Code here.

@Gyran Passing the session token should also not be necessary since a query in Cloud Code is always executed as Parse.User.currentUser();.

mtrezza on 14 Jul 2017

@mtrezza queries in Cloud Code used to be ran as the current user in the old Parse.com, where each function had a scope with the current user. This is why the master key was a global setting that wouldn’t interfere with other requests from other users. However, in Parse server this isn’t true anymore. You always need to pass the session token if an object has ACL.

natanrolnik on 15 Jul 2017

@flovilmart can explain a bit more

natanrolnik on 15 Jul 2017

@mtrezza I believe everything is correctly explained here: http://docs.parseplatform.org/parse-server/guide/#no-current-user