How to filter data by ACL permissions in Parse Server using GET /aggregate endpoint?

I’m working with Parse Server and trying to perform an aggregation query using the /aggregate endpoint with a GET request.
My goal is to only return data that the current user is allowed to read, according to the ACL (Access Control List) settings on each object.

For example, I have a collection called Posts and each object has an ACL field that looks like this:

{
  "ACL": {
    "J2QgVTpjig": { "read": true },
    "*": { "read": false }
  },
  "title": "Post title",
  "content": "Some content"
}

I want to use aggregate with $match so that it only returns documents where the ACL allows the current user (objectId: J2QgVTpjig) to read, or where it’s publicly readable.


What I tried

I wrote this pipeline:

[
  {
    "$match": {
      "$or": [
        { "ACL.J2QgVTpjig.read": true },
        { "ACL.*.read": true }
      ]
    }
  },
  {
    "$project": {
      "title": 1,
      "content": 1,
      "createdAt": 1
    }
  }
]

and sent it like this:

GET /parse/aggregate/Posts?pipeline=<url-encoded pipeline>

My question

Is this the recommended way to enforce ACL restrictions when using /aggregate in Parse Server?

Because normally, when using find or get, Parse automatically filters results by ACL. But it seems that aggregate does not apply ACL checks automatically, so I have to do it manually inside $match.

Is that correct?
Or is there a more secure / recommended way to ensure ACL is respected in aggregate pipelines?


TL;DR

  • Parse find automatically filters by ACL, but does aggregate?
  • Is it required to add $match manually for ACL in the pipeline when using /aggregate GET endpoint?
  • How do you usually handle this?

Thanks a lot for any help or best practices!