In managing entities in Parse there are a lot of objects that I need to tie to the current logged in user.
My concerns are:
User
being passed in is the current logged in user.They have this example TODO app which in the documentation shows no Cloud Code in place to ensure that the User
that the Todo
is assigned to is the currently logged in user.
Now that I look through the code I'm starting to think that whenever an object is saved it gets tied to the user. Can anyone explain why this application works and how it is associating the Todo
s with the User
?
UPDATE: Nevermind, I found the place in their code where they specify the user to save for the Todo. My question is, what's stopping a user from writing code that saves the todo with someone else's user id?
this.todos.create({
content: this.input.val(),
order: this.todos.nextOrder(),
done: false,
user: Parse.User.current(),
ACL: new Parse.ACL(Parse.User.current())
});
UPDATE #2: If the User
object has an ACL
set to only allows users to be able to read User
objects they own, then they wouldn't be able to query to get another user object to pass up. However, there are two other possible problems:
User
object even if the user
field on the Todo
s table requires a _User
?If anyone can confirm or provide solutions to either of those that would be helpful. Going to try to test #1 right now.
UPDATE #3 -- After some testing:
user
field on the Todo
s table requires a _User
object, it will not take the objectId as a string.The they can however create a new user object and set the objectId there to get around this.
var user = new Parse.User(); // Create user object
user.id = "cqmEuj1Bzf"; // Assign user id
// Create and save Todo
var td = new Todo();
td.set("name", "Some ting todo");
td.set("user", user);
td.save();
This right here is exactly what I was worried about. I was able to successfully save a Todo to another user's account--as long as I know their user_id (objectId
). With enough users they can likely guess at least one to randomly screw up someone's account.
So what now?
Answer: Use Cloud Code to verify that the user passed in matches the current user. Answer was posted on Parse's forums here.
You can use cloud code to verify that the user passed in matches the current user. That answer was posted on Parse's forums here.
You can use Cloud Code to ensure that the objectId corresponds to the current user making this request. In fact, our sample application, Anypic, does this check on the "Photo" and "Activity" class.
From Anypic's Cloud Code:
Parse.Cloud.beforeSave('Activity', function(request, response) { var currentUser = Parse.User.current(); var objectUser = request.object.get('fromUser');
if(!currentUser || !objectUser) {
response.error('An Activity should have a valid fromUser.'); } else if (currentUser.id === objectUser.id) {
response.success(); } else {
response.error('Cannot set fromUser on Activity to a user other than the current user.'); } });
Parse.Cloud.beforeSave('Photo', function(request, response) { var currentUser = Parse.User.current(); var objectUser = request.object.get('user');
if(!currentUser || !objectUser) {
response.error('A Photo should have a valid user.'); } else if (currentUser.id === objectUser.id) {
response.success(); } else {
response.error('Cannot set user on Photo to a user other than the current user.'); } });
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With