Security with ACL and Users

[mginz83]

Just about everything in my mongoldb is readable. Why? Its a social application. The objects I am storing, all users need to be able to read it.

I also need users to write to the database, for example, if they add a friend, they need to be able to write that object into the friends db.

If they move from object from one collection to another, they need to be able to write that.

How can I secure that transaction?

[flovilmart]

Use ACL's and Class Level Permissions. I'm not sure I really understand the question. Perhaps it's better suited for Stackoverflow

[mginz83]

I just want to make sure the data on the database stays there and no one can access it. If someone has my keys they can do whatever they want. I figured that out by just the same keys on a different app. Thats not even using the master key -> it was using the client key.

what do you mean by class level permission? making the method private vs public?

[mginz83]

For a sake of the conversation -> I'm currently not using cloud code.

[flovilmart]

Did you read the security sections of the docs? http://docs.parseplatform.org/js/guide/#security

[mginz83]

OK. That is what I am doing already with the ACL. I would have to only allow READ to things I don't want them to change. They can change who their friends are whenever.

However, they can't adjust how much "coins" they have. However, if they gain more coins, if they can't change that in the DB, how would that be added? Without the write permission, that users who might be given a coin, it won't add itself to the db....is that correct?

EDIT:

acl.setWriteAccess(ParseUser.getCurrentUser(), true);
This will allow only that user to write...inside of my app only. So if they create a new app and register with the app key and client key, they won't be able to change it unless they have their object id...

maybe I'm not on the right page....just thinking out loud

[flovilmart]

you should probably setup class level permissions so only the 'owner' column (a User) has those rights.
or use cloud code in order to run the validations.

[natanrolnik]

I'm closing this issue because we try to keep GitHub issues for issues and bugs specific to Parse Server.

Please use StackOverflow with the parse-server and parse-js-sdk tags, and post the link here for reference as well.