Relying only in Parse Cloud Code #3067
Comments
|
You can build an express app with a simple API if that's what you need. |
|
@flovilmart thank you for your answer... is there any reference I can read or any idea? |
|
What you want is actually just a web server, that is using parse as a backend right? you can use expressjs http://expressjs.com and then make an API client on your apps. |
|
No, well, I would like to use Parse directly, but disabling Queries from clients of cURL. I use background jobs, push, and many more Parse features. What I want actually is being protected against calls like http://mywebserver:1337/parse/users and read every single field. I'm getting sensitive data (according to my structure) but I need Users to be public readable. In Parse Cloud I use |
|
You can use |
|
@flovilmart that is gorgeous... thank you very much! |
|
@flovilmart, I've been checking deeply, it wouldn't work to isolate only Parse Cloud for example. I tried to isolate in this way: but Parse Cloud is using /parse/classes/_User for retrieving users, for example, and it wont work... do you have any other workaround or idea to work with? I'm still thinking but got no clue :( |
|
Yeah because you need all of those still working because parse-server is well, parse-server... I'm not sure we're gonna go that route... |
|
So what would you suggest for this? "I have done a search on Google saying ' websites done with parse as backend '. I got one, I opened the Javascript console (or well, grab the REST-Api-Key from any cloud call and do the same job with cURL) and this happened:"
What could we do in this case? |
|
put a CLP so you can't run a find... |
|
so I can't run a find from Parse Cloud either :\ ? |
|
you can run find with the master key |
|
alright! let's try :) |
|
We do something similar to the suggestion: All classes have no read and write access via CLP (make sure to switch to advanced permissions mode to also unset Add Field) and our cloud code queries etc. all have Perhaps it would be useful to have a special mode so it is like this out of the box but it is low priority for me as you can achieve this already using the above steps. |
|
I've tried to change CLP for User object, disabling Public GET and FIND. |
|
@cleever I had faced this issue and got around it by creating a cloud function to sign users up |
|
I think you need an ACL in this case. Whenever a user signs up, you should place an ACL on that user. This should avoid public queries to find this user. |
|
@steven-supersolid I'm using the same thing as you where I disable access to all the tables and only use Cloud Code to access. I'm migrating off to Parse Server now and update all Cloud Code to use master key explicitly and removing the current user call but the queries don't return any data now. Seems like the useMasterKey is not working for some reason and I have been banging my head against the wall for the past 2 days. Is yours working? @flovilmart any help or suggestion here? I google and read all the issue and it seems like it should be working but it's not for me. I using Heroku and mLab and running the latest version of Node 6.9.1 and the latest beta version of Parse Server. Any help or direction would be greatly appreciated. |
|
@kyvu probably best to ask on SO and provide a simple code sample and server logs as seems like an issue with your setup |
Hello guys.
This is a question I've tried to find anywhere in StackOverflow or here but I haven't found.
Some of us, developers who use Parse for a backend solution, rely only on Parse Cloud Code to make requests. Sometimes we develop X-platform products which is really nice, but maybe we would like to avoid people to fiddle with the REST part (or from Javascript SDK for example). Is there any plan to be able to cut everything except some endpoints such as "http://parsehost/parse/functions/*" for the future?
Thank you very much in advance, and I'm sorry if this question is duplicated (I haven't found it).
Regards.
The text was updated successfully, but these errors were encountered: