3

I have set up my class to control access using ACLs. Only the creator of the object can view or edit the object. There are many thousands of these objects in use in a production environment.

I have a new requirement to, under a certain circumstance, allow a user to remove another user's objects. The simplest analogy is to imagine an admin feature that lets moderators remove all comments by a certain abusive user.

Since the client cannot do this, I am defining a cloud function to handle it, which will be able to use the master key. I pass the user ID from the client to the cloud function, and it should remove all comments by this user.

However, the cloud function is not able to find the comments since they are tied to the user only by ACL. As far as I can tell, it is not possible to query by ACL. Is this accurate?

What is the correct approach here? Do I need an additional column besides the ACL to identify the commenter a second time, simply so I can query by it? This seems duplicative. I will also need to update the many existing records, copying the user specified in the ACL into the new column. Is this even possible?

Or is there some way to build an ACL for use by the cloud function and use it instead of the master key so that the query searches as though it were the user in question?

My final (last resort) suggestion is to fetch all of the objects and then iterate over them checking the ACLs. This is obviously a pretty poor solution for scale and performance since I will need to fetch potentially hundreds of thousands to items to check them all.

Ben Packard
  • 26,102
  • 25
  • 102
  • 183
  • How do you let users query and delete their own comments currently if they are not queryable by ACL? – buckettt Apr 11 '19 at 13:23
  • @buckettt In Parse, all queries are scoped by the curren't user's ACL automatically. So querying from the client only returns the logged in user's objects. From cloud code, you achieve the same by passing in the session token from the client, which is passed along to the cloud function. – Ben Packard Apr 11 '19 at 13:25
  • using master key should override all ACLs and run delete operation as far as I know. Can you share a code snippet that you use? – ssakash Apr 12 '19 at 04:15
  • The question isn't about the delete operation, it's about finding the objects to delete. All I have is the user ID and the objects are connected to that user via ACL. – Ben Packard Apr 12 '19 at 13:48
  • Any update? I personally query for all users and then check in a loop only the one that have ACL with user x – Simoyw Jan 13 '20 at 15:38
  • @Simoyw I've decided to store the user ID in a separate column and use ACLs as a security measure only, not as the primary way to associate objects with a user. I think this will be more future-proof since I might add features even on the client that let one user see another's objects. This will require adding the second user to the ACL but I still want to know which of the two users 'owns' it. – Ben Packard Jan 13 '20 at 19:17

0 Answers0