-
-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
_User class email field protection should be modifiable #6949
Comments
Thank you for suggesting. I see this as a general Parse Server product strategy question in terms of security restrictions, there is a related discussion. A thought experiment: Would we eventually allow any Parse Server security restrictions to become optional, or are there some restrictions that we would not remove and if so, why? Frankly, just the idea of allowing a session user query a sensitive field like However, for a more procedural approach, here are some arguments for optional security restrictions: Pro:
Contra:
An alternative solution could be creating a Cloud Code function that queries the email field using the |
Some additional thoughts.... If Parse were to treat authentication in a similar way to Firebase (with which I have more experience), it would take master key type use to access both What strikes me is not that Parse chooses to lock down the
Some apps may be written for internal company use and that company might assign roles to users who have permission to iterate over the Users class and interact with email addresses for some business need. This roles-based approach seems like a reasonable use case for making the email field unprotected. I don't feel the same can be said for the |
This is possible with a Cloud Code function and However, I agree that the email and username field should be considered equally sensitive, because we can assume that in many instances, the username field contains the email address. |
I think the conclusion we can draw from the separate security discussion is:
Therefore I would suggest before we merge a PR for this, we should wait for #6973 to be merged so a security warning can be displayed. @185driver, would you be willing to prepare a PR for this and add the warning message after #6973 is merged? |
This sounds good.
The intended meaning above is not quite clear to me given that less caution is currently given to the If the intent is to treat them both the same by doing these things:
Then, that would be great. If I'm misunderstanding, my apologies. I am willing to help where I can, but are you asking me to work on a documents PR or a code PR? I can submit something for consideration for the Parse docs related to #6973 once it is merged and I can understand the changes, if that would be helpful. |
@dplewis, @davimacedo since this would be a sensitive security change, can I get your quick opinions on this suggestion? |
I agree with the suggestion. |
It just meant that both fields should be handled equally, without drawing a conclusion about the level of protection. Since @davimacedo confirmed we can go ahead, the next steps being:
@185driver Would you be willing to open a PR for the first point? We're here to help with guidance if you have any questions. |
Unfortunately, I'm working with a project right now that doesn't use parse server so can't participate for the time being. I'll check back when I can. |
I would like to contribute to resolving this issue. I just started exploring the parse server. PR #6973 is merged so I think I can proceed with this.
Just wanted to confirm as to how can this be achieved? |
Is your feature request related to a problem? Please describe.
As discussed in a Parse Community forum thread, the default behavior of the
_User
classemail
field is to protect it and only expose it viauseMasterKey
. This is a reasonable default setting.However, developers who understand the risks involved may have a reasonable need to access the email field in a
find
query, but are currently unable to do so. The email field does not respond to a removal fromprotectedFields
. A developer can get around this limitation via adding their own email-related field, but doing so feels hacky. Parse simply does not allow a developer to change the protected behavior of the default email field even though a method to do so is built into Parse.Parse's default setting for the email field is good. Unless the risks are understood and the default behavior is intentionally overridden, it's reasonable to disallow exposing the email field.
Describe the solution you'd like
If, however, a developer understands the risks and wishes to expose the email field in queries, s/he should be allowed to do so. The email field should respond to
protectedFields
changes in the same way that other fields do.Describe alternatives you've considered
Create a clone of the email field and expose its contents in User class queries. This is not an elegant solution.
Additional context
Though I believe allowing developers to change the email field's behavior would be good, it should be accompanied by the addition of wording in the docs that both describes how to use the protected fields feature, and a caution against making a change to the email field's behavior unless the risks are understood. I believe that there is currently no verbiage in the docs about these things.
The text was updated successfully, but these errors were encountered: