Allowing userSensitiveFields to be overriden in constructor #3738
Conversation
…utomatically including default fields
| // allow 'userSensitiveFields' from constructor to override default list | ||
| if (typeof userSensitiveFields === 'undefined'){ | ||
| userSensitiveFields = defaults.userSensitiveFields | ||
| } |
There was a problem hiding this comment.
I think this new behavior makes sense, if you specify 'userSensitiveFields' then that takes precedence over the default list of fields instead of merging the two.
Technically this could be considered a breaking change because users that are currently specifying 'userSensitiveFields' are currently getting 'email' appended to that list so this change would alter that behavior. That said, the new behavior would just expose an extra field, which shouldn't break anything. If we really want to avoid making this in a breaking fashion, I can add a new field to the constructor, something like 'includeDefaultUserSensitiveFields' to trigger the new behavior but that seemed a but overkill.
|
Discussed here: #3155 (comment) |
|
@mross22 if its in cloud code, why not just use the master key? |
|
@acinader you're right I actually wasn't specifying the master key correctly in my query in cloud code so when i didnt get user.email back I attributed it to this issue, but really it was because the query wasn't being executed with master permissions. My issue is solved and I understand your comments in the other thread about not wanting to override userSensitiveFields completely and instead just allowing some form of role based access. I'll go ahead and close this PR. |
|
@acinader in my case, roles already secure the whole thing, so totally overriding userSensitiveFields is very fine with me. Anyway, what's the simplest thing to do to get the email ? Redo the search in an afterFind ? Thx in advance, |
|
Btw, maybe you can help me. I can't find any doc for afterFind (only beforeFind) |
|
There is no after find |
|
@oallouch a work around if you want to send email address of users to a client is to create a cloud function that can do the look up on the user table using the master key. |
|
@acinader thx. I used to master key in an afterFind. Work good (but not very efficient). |
|
Ah there is sorry, my bad :) |
|
Just a note to say that I wish you could reopen this issue. |
I ran into the same issue outlined here (#3301) where I was unable to access user.get('email') in cloud code because it because a sensitive field in version 2.3.0.
@acinader, in the thread for the issue above, you mentioned you would be open to a change that allows unsetting 'email' as a sensitive field, so this is my attempt to do so.
Also tagging @Amex22 so you see this since you filed the initial issue