-
-
Notifications
You must be signed in to change notification settings - Fork 515
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: expand best practices #924
base: gh-pages
Are you sure you want to change the base?
Conversation
Co-authored-by: Manuel <[email protected]>
Co-authored-by: Manuel <[email protected]>
Co-authored-by: Manuel <[email protected]>
Should we merge this? |
It's ready for merge if you are ok! |
```js | ||
Parse.Cloud.define('updateEmail', async (req) => { | ||
req.user.set('email', req.params.email); | ||
await req.user.save(null, { useMasterKey: true }); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wouldn't it be best practice to avoid any operation using useMasterKey: true
but instead give only the user write permission in the object ACL? This would mitigate the risk that through a developer mistake in code someone could execute operations because they are using the master key; instead any permission would be bound to the user's session token. Using useMasterKey: true
should only be necessary if the object is locked even for the user with read/write limited to master key.
Related: #811