Skip to content

docs: document enforcing private users #900

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Sep 17, 2022
Merged

docs: document enforcing private users #900

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
69f81e4
feat: document enforcing private users
dblythy Sep 14, 2022
7fd26ea
Update _includes/common/security.md
mtrezza Sep 17, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 7 additions & 1 deletion _includes/common/security.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ The master key, on the other hand, is definitely a security mechanism. Using the

The overall philosophy is to limit the power of your clients (using client keys), and to perform any sensitive actions requiring the master key in Cloud Code. You'll learn how to best wield this power in the section titled [Implementing Business Logic in Cloud Code](#implementing-business-logic-in-cloud-code).

A final note: It is recommended to setup HTTPS and SSL in your server, to avoid man-in-the-middle attacks, but Parse works fine as well with non-HTTPS connections.
A final note: It is recommended to setup HTTPS and SSL in your server, to avoid man-in-the-middle attacks, but Parse works fine as well with non-HTTPS connections.

## Class-Level Permissions

Expand All @@ -34,6 +34,12 @@ Almost every class that you create should have these permissions tweaked to some

As a start, you can configure your application so that clients cannot create new classes on Parse. This is done by setting the key `allowClientClassCreation` to `false` in your ParseServer configuration. See the project Readme for an overview of [Configuring your ParseServer](https://github.com/parse-community/parse-server#configuration). Once restricted, classes may only be created from the Data Browser or with a the `masterKey`. This will prevent attackers from filling your database with unlimited, arbitrary new classes.

### Enforcing Private Users

*Requires Parse Server 5.0.0+*

By default, Parse Server creates Users with public read access. This allows other users, and un-authenticated users, to read data such as `email`. When moving to production, set the key `enforcePrivateUsers` to `true`, as this will remove the public read access to new users.

### Configuring Class-Level Permissions

Parse lets you specify what operations are allowed per class. This lets you restrict the ways in which clients can access or modify your classes. To change these settings, go to the Data Browser, select a class, and click the "Security" button.
Expand Down
3 changes: 3 additions & 0 deletions parse-server.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,9 @@ sections:
- "parse-server/push-notifications.md"
- "parse-server/push-notifications-clients.md"
- "parse-server/class-level-permissions.md"
- "common/security.md"
- "common/performance.md"
- "common/errors.md"
- "parse-server/file-adapters.md"
- "parse-server/cache-adapters.md"
- "parse-server/live-query.md"
Expand Down