Parse-server: ParseError聽{code: 206, message: "Cannot modify user FQrZUWcoW9."}

Created on 15 Mar 2018  路  6Comments  路  Source: parse-community/parse-server

ParseError聽{code: 206, message: "Cannot modify user FQrZUWcoW9."}.

Issue Description

ParseError聽{code: 206, message: "Cannot modify user FQrZUWcoW9."} when setting another user
even though set this ACL

Steps to reproduce

In source code, I found these

//RestWrite.js 975-979
if (this.className === '_User' &&
      this.query &&
      !this.auth.couldUpdateUserId(this.query.objectId)) {
    throw new Parse.Error(Parse.Error.SESSION_MISSING, `Cannot modify user ${this.query.objectId}.`);
  }

//Auth.js 21-31

// Whether this auth could possibly modify the given user id.
// It still could be forbidden via ACLs even if this returns true.
Auth.prototype.couldUpdateUserId = function(userId) {
  if (this.isMaster) {
    return true;
  }
  if (this.user && this.user.id === userId) {
    return true;
  }
  return false;
};

Expected Results

What you expected to happen.

Actual Outcome

What is happening instead.

Environment Setup

  • Server

    • parse-server version (Be specific! Don't say 'latest'.) :2.7.2

Logs/Trace

picture ruxf

Most helpful comment

@flovilmart yes the ACL is possible to set but does not reflect what can actually be done since Auth.prototype.couldUpdateUserId would still block any changes by another user.

Made a simple PR #4792

picture mullwaden on 28 May 2018
2

All 6 comments

This is the expected behaviour, one authenticated user cannot write on another user's object, nor read on it. THis is a security measure. Users hold private information and therefore are protected in a more restrictive way.

flovilmart picture flovilmart on 17 Mar 2018

@flovilmart Is there no solution to update the user attributes? For example an user with admin role should edit and change user attributes. Is there an solution to solve the problem on basic parse way without writing some custom cloud code.

aBuder picture aBuder on 25 May 2018
👍1

I have a similar issue where I need admins to be able to modify users. The behavior is very inconsistent, i.e. ACL for the user doesn't really make sense at all: 

        const acl = new Parse.ACL();
        acl.setPublicReadAccess(true);
        acl.setWriteAccess(newUser.id, true);
        acl.setRoleWriteAccess(businessUnit.getUserRoleId(), true);
        newUser.setACL(acl);

        return newUser.save(null, { useMasterKey: true });

In the example above the ACL tells me I should be able to edit and a cryptic error message tells me I can't.

mullwaden picture mullwaden on 25 May 2018

In the latest release, updating users with the masterKey should let any ACL be set. We still want to ensure a user can鈥檛 accidentally lock himself out, there has been some discussion around it. I鈥檇 gladly review a PR, that softens the possible updates on ACL鈥檚 while preserving enough safety.

flovilmart picture flovilmart on 25 May 2018

@flovilmart yes the ACL is possible to set but does not reflect what can actually be done since Auth.prototype.couldUpdateUserId would still block any changes by another user.

Made a simple PR #4792

mullwaden picture mullwaden on 28 May 2018
2

@mullwaden This PR would make me happy and solve the problem 馃憤馃徎

aBuder picture aBuder on 30 May 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

okaris picture okaris  路  4Comments
dovewi picture dovewi  路  3Comments
ViolentCrumble picture ViolentCrumble  路  3Comments
jaydeep82 picture jaydeep82  路  4Comments
sanergulec picture sanergulec  路  4Comments