From 69f81e4e6a3ac3fb53aee9da1e97e4e3450fc59d Mon Sep 17 00:00:00 2001 From: dblythy Date: Wed, 14 Sep 2022 15:12:32 +1000 Subject: [PATCH 1/2] feat: document enforcing private users --- _includes/common/security.md | 8 +++++++- parse-server.md | 3 +++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/_includes/common/security.md b/_includes/common/security.md index 250288f3..5586c961 100644 --- a/_includes/common/security.md +++ b/_includes/common/security.md @@ -14,7 +14,7 @@ The master key, on the other hand, is definitely a security mechanism. Using the The overall philosophy is to limit the power of your clients (using client keys), and to perform any sensitive actions requiring the master key in Cloud Code. You'll learn how to best wield this power in the section titled [Implementing Business Logic in Cloud Code](#implementing-business-logic-in-cloud-code). -A final note: It is recommended to setup HTTPS and SSL in your server, to avoid man-in-the-middle attacks, but Parse works fine as well with non-HTTPS connections. +A final note: It is recommended to setup HTTPS and SSL in your server, to avoid man-in-the-middle attacks, but Parse works fine as well with non-HTTPS connections. ## Class-Level Permissions @@ -34,6 +34,12 @@ Almost every class that you create should have these permissions tweaked to some As a start, you can configure your application so that clients cannot create new classes on Parse. This is done by setting the key `allowClientClassCreation` to `false` in your ParseServer configuration. See the project Readme for an overview of [Configuring your ParseServer](https://github.com/parse-community/parse-server#configuration). Once restricted, classes may only be created from the Data Browser or with a the `masterKey`. This will prevent attackers from filling your database with unlimited, arbitrary new classes. +### Enforcing Private Users + +*Available only on Parse Server starting 5.0.0* + +By default, Parse Server creates Users with public read access. This allows other users, and un-authenticated users, to read data such as `email`. When moving to production, set the key `enforcePrivateUsers` to `true`, as this will remove the public read access to new users. + ### Configuring Class-Level Permissions Parse lets you specify what operations are allowed per class. This lets you restrict the ways in which clients can access or modify your classes. To change these settings, go to the Data Browser, select a class, and click the "Security" button. diff --git a/parse-server.md b/parse-server.md index 7c1a89ef..03ef9b8e 100644 --- a/parse-server.md +++ b/parse-server.md @@ -16,6 +16,9 @@ sections: - "parse-server/push-notifications.md" - "parse-server/push-notifications-clients.md" - "parse-server/class-level-permissions.md" +- "common/security.md" +- "common/performance.md" +- "common/errors.md" - "parse-server/file-adapters.md" - "parse-server/cache-adapters.md" - "parse-server/live-query.md" From 7fd26ead596b99d5c521d7a38b8ed66cf165aa17 Mon Sep 17 00:00:00 2001 From: Manuel <5673677+mtrezza@users.noreply.github.com> Date: Sat, 17 Sep 2022 13:57:59 +0200 Subject: [PATCH 2/2] Update _includes/common/security.md --- _includes/common/security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_includes/common/security.md b/_includes/common/security.md index 5586c961..fb3a447c 100644 --- a/_includes/common/security.md +++ b/_includes/common/security.md @@ -36,7 +36,7 @@ As a start, you can configure your application so that clients cannot create new ### Enforcing Private Users -*Available only on Parse Server starting 5.0.0* +*Requires Parse Server 5.0.0+* By default, Parse Server creates Users with public read access. This allows other users, and un-authenticated users, to read data such as `email`. When moving to production, set the key `enforcePrivateUsers` to `true`, as this will remove the public read access to new users.