2

I have some specific columns on my _User class that I want to edit only with master key at the server side. My User does have write access to itself. Is there a way to prevent my user from editing specific columns, for example, let's say I have a user object and I want user to prevent editing its own points:

before save trigger:
 if(points field have been changed by the user){
  response.error();
 )

It doesn't have to be in before save trigger, but I highly doubt there is any other point to check such "dirty" column, if any. Is there a way to achieve what I need (other than obvious solutions such as creating a new class, setting it's ACL to none, holding a user pointer and a score column and editing that only with master key)?

Can Poyrazoğlu
  • 33,241
  • 48
  • 191
  • 389
  • How would your user manually change the points? Your app should be able to keep that locked down. Are you worried that people will reverse-engineer your code and call the REST API? – mbm29414 Jan 22 '15 at 13:36
  • @mbm29414 I never, ever deploy security measures client-side. what you are saying is extremely easy for someone who knows what they are doing, and points is just an example. In the actual app, it will be a value of something that you buy with actual money. – Can Poyrazoğlu Jan 22 '15 at 13:38
  • What I meant was that, for most users, if the app doesn't do it, they can't do it. Not so much a security measure, though, I agree. If it's that important, I'd pull it out into a separate class and only manage it in Cloud Code with Master Key. – mbm29414 Jan 22 '15 at 13:40
  • @mbm29414 if that's the only way, I'll go that way. But maybe there is some Parse feature like `obj.isDirty(column)` that I can simply use, which will make my job MUCH easier. – Can Poyrazoğlu Jan 22 '15 at 13:41
  • Well, there's this: http://www.parse.com/docs/js/symbols/Parse.Object.html#dirty – mbm29414 Jan 22 '15 at 13:49
  • Coupled with this: https://www.parse.com/docs/cloud_code_guide?language=JavaScript#functions-modifysave – mbm29414 Jan 22 '15 at 13:50
  • @mbm29414 this is exactly what I've been looking for! I knew about dirty, but missed that optional argument part, I thought it only acted on the whole object :) – Can Poyrazoğlu Jan 22 '15 at 13:50
  • @mbm29414 could you post it as an answer so I can give the credit :) – Can Poyrazoğlu Jan 22 '15 at 13:50

1 Answers1

4

Here is the Parse JavaScript Documentation related to "dirty" objects and properties.

{Boolean} dirty(attr)

Returns true if this object has been modified since its last save/refresh. If an attribute is specified, it returns true only if that particular attribute has been modified since the last save/refresh.

Parameters: {String} attr

An attribute name (optional).

Returns: {Boolean}

If you couple that bit (calling dirty("score") with a beforeSave() Cloud Code function), you should get what you want.

Modifying Objects On Save

In some cases, you don't want to throw out invalid data. You just want to tweak it a bit before saving it. beforeSave can handle this case, too. You just call response.success on the altered object.

In our movie review example, we might want to ensure that comments aren't too long. A single long comment might be tricky to display. We can use beforeSave to truncate the comment field to 140 characters:

Parse.Cloud.beforeSave("Review", function(request, response) {
    var comment = request.object.get("comment");
    if (comment.length > 140) {
        // Truncate and add a ...
       request.object.set("comment", comment.substring(0, 137) + "...");
    }
    response.success();
});
Can Poyrazoğlu
  • 33,241
  • 48
  • 191
  • 389
mbm29414
  • 11,558
  • 6
  • 56
  • 87