From 709fea546cabee260ca3d711694e9c692d942983 Mon Sep 17 00:00:00 2001 From: Manuel Trezza <5673677+mtrezza@users.noreply.github.com> Date: Thu, 8 Apr 2021 15:29:42 +0200 Subject: [PATCH 1/2] refactored security section --- _includes/cloudcode/cloud-code.md | 34 ++++++++++++++++++------------- 1 file changed, 20 insertions(+), 14 deletions(-) diff --git a/_includes/cloudcode/cloud-code.md b/_includes/cloudcode/cloud-code.md index f1556960..944850ac 100644 --- a/_includes/cloudcode/cloud-code.md +++ b/_includes/cloudcode/cloud-code.md @@ -249,7 +249,7 @@ Parse.Cloud.define('adminFunctionTwo', request => { ``` -### Some considerations to be aware of +### Considerations - The validation function will run prior to your Cloud Code Functions. You can use async and promises here, but try to keep the validation as simple and fast as possible so your cloud requests resolve quickly. - As previously mentioned, cloud validator objects will not validate if a masterKey is provided, unless `validateMasterKey:true` is set. However, if you set your validator to a function, the function will **always** run. @@ -672,9 +672,6 @@ Parse.Cloud.afterFind(Parse.User, async (request) => { }) ``` -### Some considerations to be aware of -- If you use the `masterKey` to fetch a pointer in an `afterFind` trigger, it will be sent in full to the client. Prior to returning to the client, be sure to check that the returned objects and pointers do not contain information that the client should not be able to access - # Session Triggers ## beforeLogin @@ -692,8 +689,7 @@ Parse.Cloud.beforeLogin(async request => { }); ``` -### Some considerations to be aware of - +### Considerations - It waits for any promises to resolve - The user is not available on the request object - the user has not yet been provided a session until after beforeLogin is successfully completed - Like `afterSave` on `Parse.User`, it will not save mutations to the user unless explicitly saved @@ -721,7 +717,7 @@ Parse.Cloud.afterLogout(async request => { }); ``` -### Some considerations to be aware of +### Considerations - Like with `afterDelete` triggers, the `_Session` object that is contained in the request has already been deleted. #### The trigger will run... @@ -830,7 +826,7 @@ Parse.Cloud.afterLiveQueryEvent('MyObject', async (request) => { }); ``` -### Some considerations to be aware of +### Considerations - Live Query events won't trigger until the `afterLiveQueryEvent` trigger has completed. Make sure any functions inside the trigger are efficient and restrictive to prevent bottlenecks. ## onLiveQueryEvent @@ -871,13 +867,23 @@ To learn more, read the [Parse LiveQuery Protocol Specification](https://github. "connect" differs from "ws_connect", the former means that the client completed the connect procedure as defined by Parse Live Query protocol, where "ws_connect" just means that a new websocket was created. -# Using the Master Key in cloud code -Set `useMasterKey:true` in the requests that require master key. +# Security +## Master Key +To override object and class access permissions, you can set `useMasterKey: true` if the request accepts the master key option. + +### Examples + +```javascript +query.find({ useMasterKey: true }); +``` -## Examples: +```javascript +object.save(null, { useMasterKey: true }); +``` ```javascript -query.find({useMasterKey:true}); -object.save(null,{useMasterKey:true}); -Parse.Object.saveAll(objects,{useMasterKey:true}); +Parse.Object.saveAll(objects, { useMasterKey: true }); ``` + +### Considerations +- If you set `masterKey: true` when fetching objects with a query or relation in [Cloud Functions](https://docs.parseplatform.org/cloudcode/guide/#cloud-functions) or [Find Triggers](https://docs.parseplatform.org/cloudcode/guide/#find-triggers), the complete object will be returned. You may want to remove object properties that the client should not be able to access before sending it to the client. From b6cc0feaedeaec6c51dc838aca5a81e8fb9af449 Mon Sep 17 00:00:00 2001 From: Manuel <5673677+mtrezza@users.noreply.github.com> Date: Sun, 11 Apr 2021 13:15:56 +0200 Subject: [PATCH 2/2] Fixed absolute URLs --- _includes/cloudcode/cloud-code.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_includes/cloudcode/cloud-code.md b/_includes/cloudcode/cloud-code.md index 944850ac..d7a8c82b 100644 --- a/_includes/cloudcode/cloud-code.md +++ b/_includes/cloudcode/cloud-code.md @@ -886,4 +886,4 @@ Parse.Object.saveAll(objects, { useMasterKey: true }); ``` ### Considerations -- If you set `masterKey: true` when fetching objects with a query or relation in [Cloud Functions](https://docs.parseplatform.org/cloudcode/guide/#cloud-functions) or [Find Triggers](https://docs.parseplatform.org/cloudcode/guide/#find-triggers), the complete object will be returned. You may want to remove object properties that the client should not be able to access before sending it to the client. +- If you set `masterKey: true` when fetching objects with a query or relation in [Cloud Functions]({{ site.baseUrl }}/cloudcode/guide/#cloud-functions) or [Find Triggers]({{ site.baseUrl }}/cloudcode/guide/#find-triggers), the complete object will be returned. You may want to remove object properties that the client should not be able to access before sending it to the client.