1

I created a class in parse.com and added a column of type: File
Uploaded a file 'myfile' to it.
Changed the security of the class so that GET is not allowed at all.

Client Permissions: GET (disabled)

But i can directly access the file like this from URL:
http://files.parsetfss.com/xxxxxxx-xxx-xxx-xx-xxxxx-xxxx-xx-xxx-xx-xxxx-myfile

So is the access to file object not secure? Or did i miss any configuration?

Jasper
  • 8,440
  • 31
  • 92
  • 133

1 Answers1

0

What you secured is getting anything under GET classes/YourClassname, the URL itself is not secured in the sense of ACL. However as long as no one else except your app knows about the direct URL for the file they are somehow safe from unauthorized access.

Also there is no direct access to get a list of all files stored for your app. That means that you, as a client, can only see the URL of the ParseFile if you have access to the object it is associated with.

Björn Kaiser
  • 9,882
  • 4
  • 37
  • 57
  • Björn Kaiser> I guess parse SDK itself will be using this URL to make the file available to my code, so anyone watching request/response from Mobile App - can see the URL. Is this correct? (file may contain sensitive info. that shud not be seen outside the app) – Jasper Feb 05 '15 at 17:06
  • Any other way in parse to store large (json) strings (100k plus) in a secure fashion. The String column field does not have any defined limits, but overall object has an upper limit. – Jasper Feb 05 '15 at 17:09
  • 1
    So it's a case of security by obscurity? – kha Feb 06 '15 at 07:58
  • 1
    @Jasper That might be true, I am not familiar with the internals. But technically, everyone that would monitor the traffic could potentially read your data. You could as well implement a bridge using Cloud Code, so you pass in an ID that Cloud Code matches to that file and returns it without revealing the URL? Calling Cloud Code functions always require the right keys, so as long as these are safe, the direct URL should be safe as well. Again, there is no 100% security, if you have specific requirements to security, implement the everything yourself without a 3rd party service. – Björn Kaiser Feb 06 '15 at 17:05
  • parse.com can fix this perhaps~ – Jasper Feb 06 '15 at 18:48
  • They probably could yes, for feature requests it is always a good idea to head over to their developer forum and bring it up there https://groups.google.com/forum/#!forum/parse-developers – Björn Kaiser Feb 06 '15 at 19:40