Hello, everyone. For newly registered users on Parse Server, the access control list (ACL) only allows access by the users themselves. I’ve added the nickname and avatar fields to the User class. I need all authenticated users to be able to read only the nickname and avatar fields. I understand that protected fields can safeguard other fields, and the Class-Level Permissions (CPL) can be set to allow public read. However, under the ACL control of the User object, other users can’t read it, and there’s no user registration trigger in cloud code. How can I modify the ACL of the User class to make it publicly readable?
Are you sure about this? How are you registering the users?
By default, ACLs in _User table are “public read” and “current user write”.
Also most default fields are indeed protected by default, and you don’t get to see them publicly, but for newly added ones(eg. nickname or avatar), you should be able to read them even if you’re not authenticated.
No. By default, the ACL of User only allows the current user to read and write. The CPL is public. Therefore, for User objects, only the current user can read and write them, and other users are unable to access them. When I want to include the user pointer field, I can only define a cloud function on the server side and use the MasterKey. I just want to avoid using the MasterKey as much as possible. That’s why I want to set the ACL of ParseUser to be publicly readable and then protect the fields that shouldn’t be exposed. In this way, when other users include the pointer field, they can obtain custom fields such as the avatar.
However, there is indeed a problem. That is, unregistered users can also access the fields exposed by the User object. Well, so I won’t do it this way. Instead, I’ll use a custom cloud function to retrieve the data. At this point, since I’m already using the MasterKey, for example, when querying Posts, I might as well turn off both public and authenticated user access in the CPL of Posts. In this way, it seems that the significance of CPL and ACL is lost. I’m not sure how to find a balance.
Ok, I think I was checking some old server version. Does look like the new ones set ACLs to user only for both read and write. In this case what you could do is:
Solution 1
Create a beforeSave or afterSave trigger and modify the ACLs using master key in there. Check this example: Cloud Code Guide | Parse (you might need an afterSave trigger here because I don’t know if you can get the new user’s id in the beforeSave, but you can check and let us know).
Then change the _User class CLP to allow reads for authenticated users only.
Solution 2
If you don’t want to do it using CLPs, you can also do it using a beforeFind trigger: Cloud Code Guide | Parse
You can even have an empty beforeFind function with just a validator object(Cloud Code Guide | Parse) like this:
Parse.Cloud.beforeFind("_User", (request) => { }, { requireUser: true });
Solution 3
Change this option to false and combine it with protected fields: