Child role clarification

A few clarification questions on roles: I have a role “authenticatedOnly” and it has a relation (via dashboard) to another role “verifiedUser”, (1) this make “verifiedUser” the child of “authenticatedOnly”, is that correct? (2) If so, “verifiedUser” gets same permissions as “authenticatedOnly” has, but not vice-versa, correct? For example, ClassA has CLP giving R/W permissions to “authenticatedOnly”, then users with role “verifiedUser” would have R/W permissions on ClassA, but ClassB has CLP giving R/W permissions to “verifiedUser” only, then users with role “authenticatedOnly” would have no permissions. Is this correct?

(3) A bit of an extension to this, for direct signup via email and password, what is the suggested way to catch that a user has verified their email address? Is there a Cloud trigger, or should the client app ask the server to check for update?

If you link role child into a parent role; Parent role inherits the accesses from the child role.

Ex : You have Moderator role and Admin Role. You add Moderator role into the Admin roles relation. Then all users into the Admin users relation will have an access to all objects tagged with Admin role AND/OR Moderator role. The roles relation act as a additional operator for security checks.

To find out if a user has a verified email, you can simply use a before save function on user and check if emailVerified field is dirty (check Parse JS SDK doc).

The email sent automatically by parse server (if it’s correctly configured) will trigger before/after save to update the email verified field.