How do I deal with mixed permissions?


I’m new to the Parse server and first of all I want to say that this is a really great package. I’ve tried many other systems, but to me Parse is the most powerful of them all. Great work!

I am currently in the learning phase and unfortunately I do not understand a few basic principles of how these can be implemented. Unfortunately there are hardly any tutorials to understand the basics.

To study, I’m trying to build a social shopping app. In this app you can have friends like on Facebook. Send friend request, etc. What I need is some help with the scheme.

First, the user class must be divided into private and public. When the user class is updated, the public class is updated.

My PublicUser class has the schema

{username, user (pointer: user), friends (relation)}

Then I have a class FriendRequest.
Cloud code controlled

{ACL (pointer: sender, pointer: receiver), sender(pointer), receiver(pointer), accepted}

Now every user can query the PublicUser data and send friend requests. Is this a right way to implement user relationships?

The users can sell their products. It should be possible to sell them publicly or just to friends. Here I am having difficulty creating the scheme. How do you build up the authorizations for such a case? Do I have to add roles? But then that would be an incredible number of roles, since a new role has to be created for each product. Or is it possible to set ACLs on relations?

My idea was this scheme but I don’t know how to handle the authorization.

{title, description, price, user(pointer), relation with authorization ??}

I hope someone can clarify me.


Welcome to the community!

For the FriendRequest, your schema looks good to me.

For the Product, do you want the users to check each of their friends that can see the product? Or would be all theirs friends always? For the second case, I don’t think you need the relation and you could create a Role for each product.

Anyways, for both cases, I’d personally prefer to create a beforeFind trigger for the Product class which adds the constraint to the query. You can also remove all permissions to the Product class using CLP and create a cloud code function that performs the query with all constraints and using the master key.

Since I want to learn the system, I would implement that the users select individual friends.

Ok, cloud code makes sense. But how can I add constraints to the query?

{title, description, price, user(pointer), friends}

Do you mean something like this?

Parse.Cloud.beforeFind("MyObject", async (req) => {
  const query = req.query;
  const user = req.user;
  const results = await query.find({ useMasterKey: true });
  if (results.get("friends") === undefined || results.get("friends").length === 0) {
    return results;
  } else if(results.get('friends').includes(user)){
    return results;
  }else {
    throw 'Something went wrong';

I believe something like this should be enough:

Parse.Cloud.beforeFind("MyObject", async (req) => {
  const query = req.query;
  const user = req.user;
  query.equalTo('friends', user);
  return query;