Skip to content

Need master key perms to call request.user.fetch() in cloud code #750

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
all-iver opened this issue Mar 2, 2016 · 4 comments
Closed

Need master key perms to call request.user.fetch() in cloud code #750

all-iver opened this issue Mar 2, 2016 · 4 comments

Comments

@all-iver
Copy link

all-iver commented Mar 2, 2016

This code works on legacy Parse without using the master key. On Parse Server I need to send {useMasterKey: true} to the fetch() call to make it work. Shouldn't cloud code assume the permissions of the user making the call?

Environment Setup

A user that looks like this is logged in to our iOS app:

{
    "_id": "KJXlhIPK4R",
    "_rperm": [
        "KJXlhIPK4R",
        "role:Admin"
    ],
    "_wperm": [
        "KJXlhIPK4R"
    ],
    ...
}

Steps to reproduce

Have the user call a cloud code method that looks like this:

Parse.Cloud.define('someMethod', function(request, response) {
    request.user.fetch().then(function() {
        // success
    }, 
    function() {
        response.error('Error getting user data.');
    });
});

Logs/Trace

GET /parse/classes/_User/KJXlhIPK4R { 'user-agent': 'node-XMLHttpRequest, Parse/js1.7.1 (NodeJS 5.0.0)',
  accept: '*/*',
  'content-type': 'text/plain',
  host: 'localhost:1337',
  'content-length': '154',
  connection: 'close' } {}
error: ParseError { code: 101, message: 'Object not found.' }
error: ParseError { code: 141, message: 'Error getting user data.' }
@gfosco
Copy link
Contributor

gfosco commented Mar 3, 2016

The difference in the node environment is that there is no 'current' user. So, in order to make a query as a user, you need to pass in the users session token, or override security with the master key option. This may seem slightly counter-intuitive at first, but it is correct.

var userToken = request.user.getSessionToken();
obj.fetch({ sessionToken: userToken }).then(...);
obj.fetch({ useMasterKey:true }).then(...);

@gfosco gfosco closed this as completed Mar 3, 2016
@sami4064
Copy link

sami4064 commented Feb 18, 2017
edited
Loading

For sending push notification I am using Parse.push.send() , which requires a querry for fetching the Installations to which the notification will be sent, but there is no way to set the useMasterKey: true there, what can I do to overcome that ?

@natanrolnik
Copy link
Contributor

You need to pass {useMasterKey: true} in the push send options, and it will find the correct installations. You don't need to fetch manually the installations, passing the query is enough. Additionally, you must pass the master key to the push send function.

@sami4064
Copy link

sami4064 commented Feb 18, 2017
edited
Loading

It am passing userMasterKey: true, but still getting Error: unauthorized: master key is required, here is my code:
var pushQuery = new Parse.Query(Parse.Installation);
pushQuery.equalTo("deviceType", "ios");
pushQuery.equalTo("appVersion", 250);
var pushData = {"title":"title test", "alert":"alert test"};

  Parse.Push.send({
			data: pushData
			}, {
			useMasterKey: true
			}).then(function() {
				 response.success("Push Sent!");
			              }, function(error) {
			          response.error("Error while trying to send push " + error.message);
					                      });

@snyk-bot snyk-bot mentioned this issue Aug 25, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@gfosco @all-iver @natanrolnik @sami4064