What does the Master Key in Parse Cloud?

Question

Could somebody explain me in brief that what does the master key within Parse Cloud Code?

Is it possible that a recently implemented CC function (which uses the master key) can change the behavior of other non Cloud Code functions?

As an instance, you have a properly working solution which lets to the current user to add other PFUser objects into a relation and delete them if needed. Until this point you don't need the master key because you writing the PFUser currentUser with the current user. Later you create another type of user relation where you want to write another PFUser object, now this time you need to use master key, because without this the currentUser won't be able to write another PFUser objects. Therefore you create a Cloud Code file to handle this issue and give legitimacy to the actual currentUser for writing other users. Now everything is working fine, we don't get an error when the actual user wants to write other user objects. However something happened. When currentUser tries to delete data from his first PFRelation (that was also worked before the new cc function) he gets the same error ..user must be authenticated via logIn or signUp that we got before we first tried to write an other user.

I guess since we using the master key it will override the existing/original security options and we need to implement it for every other function. Am i right? If yes, how should i deal with this? Or is it possible to just set different restrictions inside the main.js cc file, and every "old" function will work in the same way plus the new one which using master key?

I would really appreciate any information about the topic, because it's a huge black hole for me.

Answer 1

The master key overrides all security, such as ACL or Class-based permissions. It is like the "root" password.

You should invoke it only when needed, because all methods for the current request after it is enabled with Parse.Cloud.useMasterKey(); will use the master key.

You can selectively use it by passing options to the individual query/save/etc methods.

query.find({ useMasterKey: true }).then(function(results) { // ...

object.save(null, { useMasterKey: true }).then( // ...