How to prevent other developers destroy our Parse server data

Question

I deploy a Parse server on Heroku. But when I create a demo app, I use Charles to capture network, I see that it show Application ID and Client ID. With that informations, others developer can access data in my class, write junk data, create junk classes with junk data, ... How can I prevent that?

I can prevent them write junk data, or delete my data, by implement beforeSave, beforeDelete in Cloud Code. But what about when they read data, and when they create junk class with junk data?

Answer 1

I guess it's not that much you can do if the other developers are on your team and they have the same access to the app as you. If you mean users however the first thing I would do to secure parse-server is to set class level permissions. As there is no dashboard yet this has to be done manually. Checkout the _Schema collection in your database. It will have a field _metadata that will look something like this:

// Public read, private write
"_metadata": {
  "class_permissions": {
    "get": {"*": true},
    "find": {"*": true},
    "update": {},
    "create": {},
    "delete": {},
    "addField": {},
    "readUserFields": [],
    "writeUserFields": []
  }
}

There is also security options based on roles, users and objects. These can be set in code as before and you can see how the change affects the objects. Here is some example values:

{
  "_id": "0CjkfC3MCO",
  "_acl": {
    "*": {"r": true},
    "role:store": {"w": true}
  },
  "_rperm": ["*"],
  "_wperm": ["role:admin"],
  "_updated_at": ISODate("2016-02-25T02:26:49.179Z"),
  "_created_at": ISODate("2015-08-07T19:47:42.008Z")
}