-
-
Notifications
You must be signed in to change notification settings - Fork 515
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Protected Fields docs #716
base: gh-pages
Are you sure you want to change the base?
Protected Fields docs #716
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probably worth mentioning that by default the field email
in the _User table is protected.
Additionally, that you can configure the protected fields in the init options of ParseServer.
var api = new ParseServer({
protectedFields: { _User: {"*": [ "username", "email", "gender", "mobile", "telephone", "addressLine1", "addressLine2", "city", "postcode","dob"], "role:Management": []}}
});
classLevelPermissions: | ||
{ | ||
"protectedFields": { | ||
"*": ["views", "secret", "ownerEmail", "owner", "article",], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
extra comma.
} | ||
``` | ||
|
||
It is essential to understand the basic principle how server determines which fields to protect when user belongs to multiple groups with different rules defined. First, server finds all scopes with `protectedFields` the user belongs to. Then resulting set is determined as an intersection of all applicable sets. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is essential to understand the basic principle how server determines which fields to protect when user belongs to multiple groups with different rules defined. First, server finds all scopes with `protectedFields` the user belongs to. Then resulting set is determined as an intersection of all applicable sets. | |
It is essential to understand the basic principle of how the server determines which fields to protect when a user belongs to multiple groups with different rules defined. First, the server finds all scopes with the `protectedFields` the user belongs to. Then the resulting set is determined as an intersection of all applicable sets. |
|
||
It is essential to understand the basic principle how server determines which fields to protect when user belongs to multiple groups with different rules defined. First, server finds all scopes with `protectedFields` the user belongs to. Then resulting set is determined as an intersection of all applicable sets. | ||
|
||
In the above example, for logged in user: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In the above example, for logged in user: | |
In the above example, for a logged in user: |
``` | ||
|
||
* When user with `role:moderator` fetches an object, `secret` is protected. | ||
* When user with `role:tester` fetches same object - all fields appear to be visible, even though `role:tester` has `ownerEmail` set as protected. This happens because of role hierarchy - when user has a role, he also implicitly gets all the inherited roles. Then server intersects sets for all roles (both `role:tester` and inherited `role:moderator` in this case) and intersection of `["secret"]` vs `["ownerEmail"]` results in `[]` (sets have no fields in common). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
* When user with `role:tester` fetches same object - all fields appear to be visible, even though `role:tester` has `ownerEmail` set as protected. This happens because of role hierarchy - when user has a role, he also implicitly gets all the inherited roles. Then server intersects sets for all roles (both `role:tester` and inherited `role:moderator` in this case) and intersection of `["secret"]` vs `["ownerEmail"]` results in `[]` (sets have no fields in common). | |
* When a user with `role:tester` fetches the same object - all fields appear to be visible, even though `role:tester` has `ownerEmail` set as protected. This happens because of role hierarchy - when a user has a role, they also implicitly get all the inherited roles. Then server intersects sets for all roles (both `role:tester` and inherited `role:moderator` in this case) and intersection of `["secret"]` vs `["ownerEmail"]` results in `[]` (sets have no fields in common). |
moderator.getRelation('roles).add(tester); | ||
``` | ||
|
||
Here is an example of a tricky setup that may lead to unexpected result, we'll explain why right after: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here is an example of a tricky setup that may lead to unexpected result, we'll explain why right after: | |
Here is an example of a tricky setup that may lead to unexpected results, we'll explain why right after: |
The same rule apples here - user that is targeted by id is still subject to rules set for all broader scopes. So for `s0m3userId`: | ||
|
||
* 3 sets of fields will be intersected: `*`, `authenticated` and `s0m3userId`. | ||
* As a result only `["ownerEmail"]` ia protected. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
* As a result only `["ownerEmail"]` ia protected. | |
* As a result only `["ownerEmail"]` is protected. |
|
||
### `userField:` (pointers) | ||
|
||
There is one more way to target user - by pointer field. The syntax is: `userField:column_name`. This uses similar concept as [#pointer-permissions](Pointer Permisssions). You use column name (of either `Pointer<_User>` or `Array` type) as a key. And fields will be protected for any users pointed to by this field. For example: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is one more way to target user - by pointer field. The syntax is: `userField:column_name`. This uses similar concept as [#pointer-permissions](Pointer Permisssions). You use column name (of either `Pointer<_User>` or `Array` type) as a key. And fields will be protected for any users pointed to by this field. For example: | |
There is one more way to target a user - by pointer field. The syntax is: `userField:column_name`. This uses a similar concept as [#pointer-permissions](Pointer Permissions). You use column name (of either `Pointer<_User>` or `Array` type) as a key and fields will be protected for any users pointed to by this field. For example: |
|
||
``` | ||
|
||
In this example, server checks if the user who hass issued a request is pointed to in requested object's `owner` field. No fields will be protected for user who is set as `owner` of each particular object. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In this example, server checks if the user who hass issued a request is pointed to in requested object's `owner` field. No fields will be protected for user who is set as `owner` of each particular object. | |
In this example, the server checks if the authenticated user is equal to the `owner` field of the object. No fields will be protected for the user who is set in the `owner` field of each particular object. |
Documentation for protected fields - CLP feature currently under development. As of now it does not provide substantial level of security and it is advised to avoid using it in production environment especially for sensitive data.