Restrict users from updating certain fields but allow backend to edit them

Question

I store some fields on User model that should never be edited by users themselves, but instead should be updated by backend only. So I do validation on beforeSave:

// import all models
var Models = require('cloud/models/index');

// Models.User is a subclass of Parse.User
Parse.Cloud.beforeSave(Models.User, function (request, response) {
    var user = request.object;

    // prevent numberOfApples from being modified on clients
    if(user.existed()) {
        if(user.dirty('numberOfApples')) {
            response.error('User is not allowed to modify numberOfApples.');
            return;
        }
    }

    response.success();
});

So I check if model existed before, this is important so this stuff does not trigger on sign up. But then I tried to update that field manually from Parse dashboard and it throws error. How can I make sure that only user is disallowed to edit this field, while dashboard or backend can do that (apparently when master key is used).

pronebird · Accepted Answer · 2017-04-24T11:47:49.357

Turns out Request.master is the way to go here. I allow locked fields to be changed when using master key.

Example:

Parse.Cloud.beforeSave(Models.User, function (request, response) {
    var user = request.object;

    // prevent system managed fields from being modified on clients
    if(user.existed()) {
        // we can change those fields when using master key.
        if(!request.master) {
            var privateFields = [ 'gold', 'skillLevel', 'weaponCount' ];
            for(var i = 0, c = privateFields.length; i < c; i++) {
                var field = privateFields[i];

                if(user.dirty(field)) {
                    response.error('User is not allowed to modify ' + field + '.');
                    return;
                }
            }
        }
    }

    response.success();
});

@xybrek sure, I've updated my answer. I am not sure why I had `user.existed()` check, but in my case `User` could only be created by backend anyway. — pronebird, Apr 24 '17 at 11:48

score 1 · Answer 2 · answered Mar 13 '15 at 15:00

There are two factor at play here. First, take a look at the access controls (ACLs) that you have for each object. Those are used to determine permissions, typically. However, since you have a "beforeSave" function, that will come into consideration as well. Even changes made on the dashboard or backend will trigger the beforeSave function.

My suggestion would be to remove the attributes from the User table that the user should not change and store them in a custom table with a pointer back to the User object they belong to.

ACL is set as public read and write only by this user itself. If I could only check whether action is triggered with masterKey, I believe that should be enough to relax restrictions on fields in that case. — pronebird, Mar 13 '15 at 16:01

score 0 · Answer 3 · answered Mar 13 '15 at 19:05

0

I think you need to create a new class with private fields.

answered Mar 13 '15 at 19:05

Bluety

1,869
14
22

This is suggested below. But I don't have to because `request.master` can tell me if request is running with master key, then I can ignore validation for locked fields. – pronebird Mar 14 '15 at 11:00

Restrict users from updating certain fields but allow backend to edit them

3 Answers3