Is disabling read/write on all classes and using cloud functions for everything = bad practice?

Basically, I want to disable read/write for all classes (including _User) and just use cloud functions with master key for auth, querying, posting, etc. This way (I think) I can increase security and avoid common mistakes newbies make with parse backend. Will this approach have any downsides?

I don’t see any downside and in fact many developers use this approach.

Awesome. As someone who is new to Parse, this style makes the most sense for me at the moment

The only problem with this is that you are effectively removing all in-built CLP / ACL protections when you use the masterKey, so it’s up to you to be 100% sure that the user who called the function is authorized to access the data.

Personally I normally use beforeSave triggers to enforce ACLs, validate users, etc.

If you fail to correctly authorized or restrict useMasterKey queries, you could be potentially exposing sensitive data.


I’ve used this approach and I like it. Following this approach also gives opportunity to update behaviour on client side without forcing user to update the app.

1 Like