How to limit values returned to user in query?

cperryoh · July 28, 2022, 2:50pm

I am trying to write cloud code that excludes certain values from a query. I have tried using both select() and exclude() to limit what values come back in a query. Here is what my code looks like

Parse.Cloud.beforeFind(Parse.User, (request) => {
     return request.query.select('email');
});

For reference, here is the curl command that I am using to test my cloud code:

curl --location --request GET 'https://<parse-server>.b4a.io/parse/users' \
--header 'X-Parse-Application-Id: <app-id>' \
--header 'X-Parse-REST-API-Key: <api-key>' \
--header 'X-Parse-Session-Token: <token>'

In theory, the response to this command should look something like this:

{
results:[{'email':'[email protected]'},{'email':'[email protected]'}]
}

Instead what I get is the following(all of the user information I would normally get if I did nothing):

{
    "results": [
        {
            "objectId": "jKXYLgeB6x",
            "username": "cperryoh",
            "email": "[email protected]",
            "isBanned": false,
            "emailVerified": true,
            "createdAt": "2022-07-25T17:09:37.963Z",
            "updatedAt": "2022-07-27T16:34:54.186Z",
            "chunksOwned": {
                "__type": "Relation",
                "className": "chunk"
            },
            "ACL": {
                "jKXYLgeB6x": {
                    "read": true,
                    "write": true
                },
                "*": {
                    "read": true
                }
            }
        },
        {
            "objectId": "ykJJhvNuPh",
            "username": "testUser",
            "email":"[email protected]",
            "isBanned": false,
            "emailVerified": true,
            "createdAt": "2022-07-25T19:39:02.854Z",
            "updatedAt": "2022-07-27T16:20:48.083Z",
            "chunksOwned": {
                "__type": "Relation",
                "className": "chunk"
            },
            "ACL": {
                "*": {
                    "read": true
                },
                "ykJJhvNuPh": {
                    "read": true,
                    "write": true
                }
            }
        }
    ]
}

To further add to the confusion, in the cloud-code/parse-SDK documentation, there is no reference to the beforeFind trigger. So I am not even sure what the return type of lambda/function is supposed to be. The only thing I have that is telling me I can return a query object is an example in the cloud code guide here. In one of the examples, they return the result of Parse.Query.or() which does return an object of type Query. Am I using .select() incorrectly or is it not meant for what I am trying to do? Thanks for the help!

davimacedo · July 28, 2022, 3:11pm

I’ve just tested here, and this worked for me:

Parse.Cloud.beforeFind('MyClass', ({ query }) => {
  query.select('myField1');
});

cperryoh · July 28, 2022, 5:40pm

I tried that with the user class and I still get all the user info in return

Parse.Cloud.beforeFind("user", ({query}) => {
  query.select('email');
});

davimacedo · July 28, 2022, 6:22pm

instead of "user", try Parse.User or "_User"

cperryoh · July 29, 2022, 4:44pm

Still not working

PS: Sorry for all the questions, I noticed that you also answered a post I had on StackOverflow, I promise I somewhat know what I am doing

davimacedo · July 29, 2022, 5:45pm

No problem. What you see I believe to be the expected behavior. objectId, createdAt, updatedAt, ACL, and relation schema (not data) always come by default. If you send a GET request to /users?keys=email (without the trigger), you will see the same result.

cperryoh · July 29, 2022, 7:04pm

I know that I can limit what comes back from a get request on the client side using something like what you said. I am trying to limit it on the server side. I would like to hide all data about other users other than their username and a few other non-sensitive things. But of course, they could get data on themselves without limitations. I was thinking about creating a separate object type called PublicUser that basically stores all the data I would like to expose to other users(Profile picture, username, online status, etc). I was hesitant to do that though because I know it would be one extra thing to manage and I would have to keep it in sync with the normal user class. Is there a way to limit what keys I get back from a query on users in cloud code, or is there no way to override that unless you are using your own custom class? Thanks for all the help!

davimacedo · August 1, 2022, 2:37pm

I believe the way to limit the returned keys on cloud code is what you are doing and like I told you it is working. You will not be able to limit objectId , createdAt , updatedAt , ACL , and relation schema though. But the other fields will not be visible to the users.

cperryoh · August 1, 2022, 8:00pm

That makes more sense and it works, thanks!