Adds support for read-only masterKey #4297
Conversation
Codecov Report
@@ Coverage Diff @@
## master #4297 +/- ##
===========================================
- Coverage 92.49% 82.06% -10.44%
===========================================
Files 118 118
Lines 8169 8196 +27
===========================================
- Hits 7556 6726 -830
- Misses 613 1470 +857
Continue to review full report at Codecov.
|
spec/rest.spec.js
Outdated
| expect(() => { | ||
| rest.del(config, readOnly, 'AnObject', {}) | ||
| }).toThrow(); | ||
| }); | ||
|
|
There was a problem hiding this comment.
Looks like we still need some more tests in here to verify that read still works, config updates are blocked & direct schema updates are blocked
|
Oh and one more thing, we'll need a PR for this feature in the docs, otherwise nobody may know this actually exists... |
|
Push will be block at the RestWrite level, but we can block it earlier. Actually my readOnly users would likely be able to send push notificairtons, so I'll probably have to refactor after to support it. |
|
@montymxb I believe we're good with that one in terms feature + README, I'll update the docs as well. |
README.md
Outdated
| @@ -225,6 +225,7 @@ The client keys used with Parse are no longer necessary with Parse Server. If yo | |||
| * `customPages` - A hash with urls to override email verification links, password reset links and specify frame url for masking user-facing pages. Available keys: `parseFrameURL`, `invalidLink`, `choosePassword`, `passwordResetSuccess`, `verifyEmailSuccess`. | |||
| * `middleware` - (CLI only), a module name, function that is an express middleware. When using the CLI, the express app will load it just **before** mounting parse-server on the mount path. This option is useful for injecting a monitoring middleware. | |||
| * `masterKeyIps` - The array of ip addresses where masterKey usage will be restricted to only these ips. (Default to [] which means allow all ips). If you're using this feature and have `useMasterKey: true` in cloudcode, make sure that you put your own ip in this list. | |||
| * `readOnlyMasterKey` - A masterKey that has full read access to the data, but no write access. This keys should be treated the same way as your masterKey, keeping it private. | |||
There was a problem hiding this comment.
Just a little typo,
This key should be treated...
spec/rest.spec.js
Outdated
| }); | ||
| }); | ||
|
|
||
| it('should throw when trying to create schema', (done) => { |
There was a problem hiding this comment.
Same name as the test above ^
|
@montymxb and those are addressed :) |
|
Sweet! If @marvelm 's PR for relative dates is good, I'd like it in for 2.6.5. |
|
Definitely, once that's present we can start offering it in the sdks! |
|
yep! We plan to use it purely in REST for now, but SDK support would be thrilling :) |
Closes #4296
The motivation for this feature is to provide read only access to all the data, in the dashboard, the readOnlyMasterKey should be treated with as much respect as the masterKey