request.user is undefined in hooks when setting useMasterKey: true, even when sessionToken is set #6512
Comments
jonas-db
changed the title
|
Can you write a test case? I think this maybe an issue with subsclassing and beforeSave. |
|
I have the same issue. When I try to save object with both MasterKey and User SessionToken in cloud code, masterKey works but sessionToken is ignored. When I use only sessionToken It works but I cant save object because All Class Level Permissions are disabled and object creation is only allowed with masterKey. Here is the simple use case: I have a beforeFileSave trigger and in that trigger I replace file name with user id. And in my cloud code I create and image thumbnail(base64 string) and save that file. |
|
It does not make sense to send both master key and session token in the same request. You need to choose if you either want to run this request as an user or as the master. What do you want to achieve with |
|
@davimacedo I change file name with user id in beforeSaveFileTrigger. And since I disabled all CLPs for MyClass, I need master key to create that myClass object and I need session token for File trigger. Because I replace file name with user id. This is Why I need it. Both parse File and Parse object saves to database with same save function. If I seperate file saving and ParseObject saving like below code problem would be solved but saving them together makes the problem. You can say: " Then why dont you save them seperatly instead of saving them together". Well I will do that ıf I cant pass sessiontoken and master key together. But If there is a way I want to know |
|
Why don't you set the file name with the current id from the beginning? You don't need a trigger for this: var thumbfile = new Parse.File(user.id, { base64: thumbnail });
myClass.set("thumbmedia",thumbfile);
const myClass2 = await myClass.save(null,{useMasterKey:true});That's what you need to do, right? |
|
That's not the only file I upload. Files can be uploaded from android SDK. I rename files in trigger to make some sort of verification. To know creator of file. Edit: Actually It's not a big deal for me. I just seperated file save and ParseObject save. It works now. |
|
In the trigger you can do something like this: Parse.Cloud.beforeSaveFile(async (request) => {
if (request.isMaster) return;
const file = request.file;
const fileData = await file.getData();
//I change file name to user id.
const newFile = new Parse.File(request.user.id, { base64: fileData });
return newFile;
}); |
|
I never think this way. Looks cool. Thanks. I will use it. |
It does make sense in scenarios such as described above (ie when you need user information). Moreover, it makes sense if you have custom logic in triggers. Since class creation is disabled, only the master can effectively create these classes for the user, yet you have no idea in the triggers on who's behalf this object was created. |
|
If you are performing an operation by using the master key, your user is the master. Can you explain what you need to achieve with the code below? Parse.Cloud.beforeSave('Object', async (request) =>
{
const user = request.user;
const isMaster = request.master;
const object = request.object;
console.log('Ask/BeforeSave')
debug(user) // undefined
debug(isMaster) // true
}) |
|
I want to have access to |
|
Your user in this case is the master. |
|
I don't believe so. When a session token is set, it means this object is saved/updated/... on behalf of that user. Yes, a master user can override that behavior, but the scope is still for that user (eg even though class creation is disabled for clients, the object can now be saved since useMasterKey was explicitly set and overrides the creation behavior). Also cluttering your objects with extra fields for context information is hacky and not clean as I don't need this information in my object itself. Therefore, I proposed #6459 as a solution. In that case, you can keep request.user null (as it is currently), but at least I can pass context information in a clean way (ie the user) even when masterkey is set. |
|
#6459 is probably a better solution for what you may need to solve. Would you be willed to tackle it? |
|
I don't have experience with the internals of parse-server, so i'm not sure if I will be able to. I'll follow up in a month to see what I can do if nobody had a look at it already. |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Is your feature request related to a problem? Please describe.
Given the following code:
and the following beforeSave hook:
Saving the object triggers the beforeSave hook, but the
request.useris undefined when usinguseMasterKey. The problem occurs whenObjectcreation is not allowed by the client, thus I can only createObjectwith the masterKey. As a result, I don't have access anymore torequest.userin beforeSave and afterSave and thus I don't know for which user this object was saved. I need this information (ie user id) to execute other side effects.Describe the solution you'd like
Given that both
useMasterKeyandsessionTokenare set, request.user should always include the user on which behalf this request was executed.Describe alternatives you've considered
I haven't found any other solution, besides ticket #6459 .
Additional context
using "parse-server": "^3.9.0",
I will need this feature for an upcoming application, so unless there is a workaround, i'll be open to write a solution if you can give me some pointers.
The text was updated successfully, but these errors were encountered: