Security with ACL and Users #3971
Comments
|
Use ACL's and Class Level Permissions. I'm not sure I really understand the question. Perhaps it's better suited for Stackoverflow |
|
I just want to make sure the data on the database stays there and no one can access it. If someone has my keys they can do whatever they want. I figured that out by just the same keys on a different app. Thats not even using the master key -> it was using the client key. what do you mean by class level permission? making the method private vs public? |
|
For a sake of the conversation -> I'm currently not using cloud code. |
|
Did you read the security sections of the docs? http://docs.parseplatform.org/js/guide/#security |
|
OK. That is what I am doing already with the ACL. I would have to only allow READ to things I don't want them to change. They can change who their friends are whenever. However, they can't adjust how much "coins" they have. However, if they gain more coins, if they can't change that in the DB, how would that be added? Without the write permission, that users who might be given a coin, it won't add itself to the db....is that correct? EDIT: acl.setWriteAccess(ParseUser.getCurrentUser(), true); maybe I'm not on the right page....just thinking out loud |
|
you should probably setup class level permissions so only the 'owner' column (a User) has those rights. |
|
I'm closing this issue because we try to keep GitHub issues for issues and bugs specific to Parse Server. Please use StackOverflow with the |
Just about everything in my mongoldb is readable. Why? Its a social application. The objects I am storing, all users need to be able to read it.
I also need users to write to the database, for example, if they add a friend, they need to be able to write that object into the friends db.
If they move from object from one collection to another, they need to be able to write that.
How can I secure that transaction?
The text was updated successfully, but these errors were encountered: