ACL for files

[srameshr]

Issue Description

ACL's are not obeyed on file type.

Steps to reproduce

Create a row or a record with a file type column in it and set its ACL to public read and write false. Now anybody who has the access to the link can access the file.

Does this fall under parse or server config?

Expected Results

The files should obey ACL and return 404 is credentials are not met.

Actual Outcome

The file is accessible.

Environment Setup

• Server

  • parse-server version (Be specific! Don't say 'latest'.) : 2.9.x
  • Operating System: MAC OS High Sierra
  • Hardware:
  • Localhost or remote server? (AWS, Heroku, Azure, Digital Ocean, etc): Both

• Database

  • MongoDB version: 3.3.x
  • Storage engine: MongoFS
  • Hardware:
  • Localhost or remote server? (AWS, mLab, ObjectRocket, Digital Ocean, etc): Both

Logs/Trace

Null

[montymxb]

@srameshr this is actually how it worked in the original Parse.com, however there was the caveat of having a file key in some cases to restrict access. Setting a file key in the parse server config was used to provide access to files that were hosted on the original Parse.com api.

Haven't dug into it but it might be worthwhile to consider enabling a similar fileKey feature for the current parse server.

[srameshr]

It would be a critical security feature that has to be allowed. Though links to files are not obvious or filename derived the access should still obey ACL.

[flovilmart]

ACL for files should be enforced at bucket level, depending on your storage provider. I’m not against introducing such feature, but it requires a major overhaul including enforcing such restrictions on your storage. In many cases you want to serve your files from the storage adapter directly, like S3 to prevent the traffic from hitting your server. I’m not saying the current solution is perfect, but the obfuscation of the name is for now good enough.

That said, what storage do you use, and are the permissions on this storage properly configured? Did you disable bucket listing?

[srameshr]

Well thats a bummer! I wish this was part of the parse server. And no I don't use S3 but just the regular mongo IFS.

[milesrichardson]

One thing I would like along these lines is the ability for parse-server-s3-adapter to upload to an arbitrary number of buckets, rather than just one. I'm building an app where users create "data rooms" and each data room is an encrypted S3 bucket. As far as I can tell, I can't use any native parse features for this so I need to build the system out myself.

[montymxb]

@milesrichardson I don't see a multi-bucket solution within parse server itself coming around.

With that being said it may be possible to put together a storage adapter that performs this in one way or another. You could base it off of the existing s3 adapter and go from there.

[srameshr]

@montymxb I wish there was a generic solution that worked with either, s3 or object storage (Digital ocean) or the default Mongo storage.
Also, is this feature still being considered?

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[acoyiu]

@srameshr my colleague has to set up the client to send the session as cookie to the server, and set up a logic in express for checking all request to the the file url, preventing unauth access to the files

[flovilmart]

@srameshr I will close this issue as the core team won’t be working on it. Any proposal can go through either a detailed issued with design, architecture etc... or better a Pr with a tentative implementation.