I’m working with Parse Server and trying to perform an aggregation query using the /aggregate
endpoint with a GET
request.
My goal is to only return data that the current user is allowed to read, according to the ACL (Access Control List) settings on each object.
For example, I have a collection called Posts
and each object has an ACL
field that looks like this:
{
"ACL": {
"J2QgVTpjig": { "read": true },
"*": { "read": false }
},
"title": "Post title",
"content": "Some content"
}
I want to use aggregate
with $match
so that it only returns documents where the ACL allows the current user (objectId: J2QgVTpjig
) to read, or where it’s publicly readable.
What I tried
I wrote this pipeline:
[
{
"$match": {
"$or": [
{ "ACL.J2QgVTpjig.read": true },
{ "ACL.*.read": true }
]
}
},
{
"$project": {
"title": 1,
"content": 1,
"createdAt": 1
}
}
]
and sent it like this:
GET /parse/aggregate/Posts?pipeline=<url-encoded pipeline>
My question
Is this the recommended way to enforce ACL restrictions when using /aggregate
in Parse Server?
Because normally, when using find
or get
, Parse automatically filters results by ACL. But it seems that aggregate
does not apply ACL checks automatically, so I have to do it manually inside $match
.
Is that correct?
Or is there a more secure / recommended way to ensure ACL is respected in aggregate
pipelines?
TL;DR
- Parse
find
automatically filters by ACL, but doesaggregate
? - Is it required to add
$match
manually for ACL in the pipeline when using/aggregate
GET endpoint? - How do you usually handle this?
Thanks a lot for any help or best practices!