Help with protectedFields on the _User class

whoami · September 2, 2020, 12:39pm

Hi everyone,
I have a question about the usage of protectedFields in the _User class.
I want to have some fields that are only available for the User, not for anyone else.
How could this be done without creating an extra class to store those fields?
Kinda like the old sensitiveUserFields.

davimacedo · September 2, 2020, 9:50pm

You need to pass something like this protectedFields: { _User: { '*': ['phone'] } } when initializing Parse Server.

whoami · September 2, 2020, 11:03pm

Hi,
Thanks for the answer.
It worked!
Here is my code in case anyone needs something similar.

protectedFields: {
  _User: {
    "*": ["email", "privatePhone", "emailVerified", "birthday"],
    "role:generalAdmins": [],
    "role:generalModerators": [],
    "role:userAdmins": [],
    "role:userModerators": []
  },
  Files: {
    "*": ["metadata"],
    "role:generalAdmins": [],
    "role:generalModerators": [],
    "role:filesAdmins": [],
    "role:filesModerators": []
  }
}

uzaysan · September 3, 2020, 6:10am

Hi @davimacedo . What’s protected fields? İ recently updated my dashboard to 2.1.0 and protected fields are new. They didn’t exist in previous dashboard version. What do they do?

By looking at the name, i think it prevents some field to be fetched.

Like if I add email field to protected fields, does parse server removes email before sending it to client. I’m currently doing it by converting user to json then delete email field.

Can you clarify?

whoami · September 3, 2020, 8:08am

There is still no documentation about it, but here you have an example by @davimacedo on how to use it.

It does what you think, it makes the rows you choose invisible for the general public, you can also specify roles that you want to be able to read it.
You can also give the user set on a pointer specific protectedFields with “userField:someField”:
More information here:

uzaysan · September 3, 2020, 10:46am

Thank you for the examples. Does protected fields work against masker key? İ moved all my logic to cloud code and using master key in every query.

davimacedo · September 4, 2020, 7:50am

Master key by passes the protected fields rules.

uzaysan · September 4, 2020, 9:09am

Thank you…

whoami · September 11, 2020, 11:24pm

Is there any way to make a protectedField on the User class that not even the user is able to see it?
For example a column called is isBanned, only available with the master key, so the user can not change his status or see it.

davimacedo · September 17, 2020, 7:28am

You can place this field on a separate class with a pointer to the _User class.

whoami · September 19, 2020, 2:13pm

That’s the approach I’m taking right now, but It will be cool to make it directly onto the user class so for example here:

Instead of having to query the second class to verify the user status it will all be made in the first one.
This is not a big problem, but just wanted to give my two cents.