Skip to content

fix: Dashboard config objects stored on server with public read / write access #2997

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 5, 2025
Merged

fix: Dashboard config objects stored on server with public read / write access #2997

merged 1 commit into from
Oct 5, 2025

Conversation

@mtrezza
Copy link
Member

@mtrezza mtrezza commented Oct 5, 2025
edited by coderabbitai bot
Loading

New Pull Request Checklist

Issue Description

The dashboard config objects are stored on server with public read / write access.

Approach

Store with read / write by master key only.

Summary by CodeRabbit

  • Bug Fixes
    • Tightened access controls on server configuration data to prevent unintended exposure. Configuration entries now default to restricted access, reducing risk from misconfiguration or unauthorized reads. No changes to how configuration is retrieved or deleted, and no user-facing behavior changes are expected. This hardening improves overall security and integrity of server settings while maintaining existing functionality and performance.

@parse-github-assistant
Copy link

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

@parseplatformorg
Copy link
Contributor

🎉 Snyk checks have passed. No issues have been found so far.

security/snyk check is complete. No issues have been found. (View Details)

@coderabbitai
Copy link

coderabbitai bot commented Oct 5, 2025
edited
Loading

Caution

Review failed

The pull request is closed.

📝 Walkthrough

Walkthrough

setConfig in src/lib/ServerConfigStorage.js now sets an empty Parse ACL on the config object before saving with the master key. Retrieval and deletion logic remain unchanged.

Changes

Cohort / File(s) Summary
Server config storage
`src/lib/ServerConfigStorage.js`		 In setConfig, after updating typed fields and clearing others, assigns `configObject.setACL(new Parse.ACL())` before saving with master key. No changes to get/delete paths.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant C as Caller
  participant S as ServerConfigStorage.setConfig
  participant P as Parse.Object(Config)

  C->>S: setConfig(key, value)
  S->>P: set typed field(s) based on value
  S->>P: clear other value fields
  Note over S,P: New step: set empty ACL
  S->>P: setACL(new Parse.ACL())
  S->>P: save({ useMasterKey: true })
  P-->>S: saved
  S-->>C: resolve
Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

✨ Finishing touches
  • 📝 Generate docstrings
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between dde78a3 and 0f7c618.

📒 Files selected for processing (1)
  • src/lib/ServerConfigStorage.js (1 hunks)

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@mtrezza mtrezza merged commit 31a4639 into parse-community:alpha Oct 5, 2025
10 of 11 checks passed
parseplatformorg pushed a commit that referenced this pull request Oct 5, 2025
@semantic-release-bot
chore(release): 7.6.0-alpha.7 [skip ci]
c8c809f 
# [7.6.0-alpha.7](7.6.0-alpha.6...7.6.0-alpha.7) (2025-10-05)

### Bug Fixes

* Dashboard config objects stored on server with public read / write access ([#2997](#2997)) ([31a4639](31a4639))
@parseplatformorg
Copy link
Contributor

🎉 This change has been released in version 7.6.0-alpha.7

@parseplatformorg parseplatformorg added the state:released-alpha Released as alpha version label Oct 5, 2025
@mtrezza mtrezza deleted the fix/dashboard-config-acl branch October 5, 2025 12:41
parseplatformorg pushed a commit that referenced this pull request Nov 1, 2025
@semantic-release-bot
chore(release): 8.0.0 [skip ci]
5eda26c 
# [8.0.0](7.5.0...8.0.0) (2025-11-01)

### Bug Fixes

* Add missing major version increase of dashboard release ([#3005](#3005)) ([5debb4d](5debb4d))
* Cannot connect to server with error invalid header name ([#3006](#3006)) ([ea4ec07](ea4ec07))
* Currently displayed view reloads when editing and saving a different view ([#3002](#3002)) ([794a35a](794a35a))
* Dashboard config objects stored on server with public read / write access ([#2997](#2997)) ([31a4639](31a4639))
* ESC key does not cancel editing in data browser cell ([#3001](#3001)) ([d1d7241](d1d7241))
* Filter text field in data browser partly looses focus when hitting enter key to apply filter ([#2992](#2992)) ([e3085b9](e3085b9))
* Filter text field in data browser partly looses focus when selecting in drop-down element by hitting enter key to apply filter ([#2993](#2993)) ([f4c17c7](f4c17c7))
* Info panel briefly shows cached media content from previously selected cell when using pre-fetch ([#3008](#3008)) ([dd6a85e](dd6a85e))
* Missing alert when changing data browser browser data while rows are selected ([#2994](#2994)) ([6cabaa3](6cabaa3))
* Security upgrade parse from 3.5.1 to 7.0.1 ([#3003](#3003)) ([5123fbf](5123fbf))
* Security upgrade passport from 0.5.3 to 0.6.0 ([#3000](#3000)) ([fbb5e6d](fbb5e6d))
* Session management issue that causes malformed redirect URLs ([#3011](#3011)) ([1649dd3](1649dd3))
* Storing view on server creates view key with hashed view name instead of UUID ([#2995](#2995)) ([7cb65f3](7cb65f3))
* Switching between browser tabs can cause illegible text color for config parameter value field ([#3010](#3010)) ([77c5c67](77c5c67))
* View table data may be retained when switching between views ([#2996](#2996)) ([ddc91c9](ddc91c9))

### Features

* Add `matches regex` filter to data browser replacing limited `string contains string` filter ([#2991](#2991)) ([64a9f71](64a9f71))
* Add info panel options `prefetchImage`, `prefetchVideo`, `prefetchAudio` to pre-fetch media content in the info panel ([#3009](#3009)) ([6796c9e](6796c9e))
* Add Parse Server version compatibility detection ([#3004](#3004)) ([9a7a60f](9a7a60f))

### Performance Improvements

* Storing, deleting, modifying view in server storage now only affects the specific view instead of updating all views ([#2998](#2998)) ([48cea3c](48cea3c))

### BREAKING CHANGES

* This increases the required minimum version to Parse Server 7. ([5debb4d](5debb4d))
@parseplatformorg
Copy link
Contributor

🎉 This change has been released in version 8.0.0

@parseplatformorg parseplatformorg added the state:released Released as stable version label Nov 1, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

state:released Released as stable version state:released-alpha Released as alpha version

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mtrezza @parseplatformorg