Column level ACL -- Feature request

[srameshr]

Issue Description

Support column level ACL to support use cases as described below.

Assume, there are 2 classes (collections) Media and Likes. The association between them is 1:n. One media can have N number of likes.

Here is some rules on Media collection:

1. Each Media record will have it's writtenACL set to createdBy user only.
2. Each Media record will have a relation, say likes to Likes collection.

Steps to reproduce

1. Insert a record, say Record M1 to Media collection from User A
2. Insert another, say Record L1 to Likes collection from User B
3. Now without using masterKey try to add the newly insert Record L1 to the likes column in Media collection, from User B
4. Fails with a security error.

Expected Results

Works as expected. This is more of a feature request

Actual Outcome

Hope to see column levels ACL supported.

Environment Setup

• Server

  • parse-server version (Be specific! Don't say 'latest'.) : [2.9.x]
  • Operating System: All
  • Hardware: All
  • Localhost or remote server? (AWS, Heroku, Azure, Digital Ocean, etc): All

• Database

  • MongoDB version: [3.x]
  • Storage engine: [S3, Mongo FS]
  • Hardware: [All]
  • Localhost or remote server? (AWS, mLab, ObjectRocket, Digital Ocean, etc): [All]

Logs/Trace

Include all relevant logs. You can turn on additional logging by configuring VERBOSE=1 in your environment.

[flovilmart]

I don’t see how column level ACL’s can be implemented at this time, but feel free to provide an example implementation and a tentative, after you run it in production for a while, we may consider the changes.

[srameshr]

TL;DR
Can the likes column (which is a relation to Likes collection) in the Media collection have its ACL set to public write while the other columns in the in Media collection be set to write by createdBy user only?

[flovilmart]

again, I suggest you come up with an initial implementation of this column ACL a concept, where to store the metadata for this feature etc...

Also, you can reverse the relation, by adding a media column in the like object and you’re good security wise. In the afterSave of the like, you can add it in the media relation with the masterKey. Very little code and secure.

[srameshr]

Ok, I will if I get some time.
As for answering to the second paragraph of your comment: I have already said that I don't want to use masterKey. If I want to use masterKey I don't know how it affects whether I use afterSave or not.

[flovilmart]

Using the masterKey in the adterSave is only necessary if you model with a relation. If your likes all have a Media object pointer, and you query on the Likes, there is no need to add the like to a relation.

Again, I am not against column based ACL’s but the justification for developing and supporting such feature is weak as it is possible to model the data in such way that is secure and easy with the current features.