I have recently upgraded from parse server 4 to parse server 6. Because user privacy is enforced from this version on I’m looking for a way for my client to access user’s name. Do I need a separate cloud function to achieve this or is there some way to remove protection for certain field (like username in this example)?
There are security limitations on how the _User class can be queried. For security reasons, querying by username requires the master key, which should not be used client side.
A user should not be able to access the username of another user, as it’s part of the confidential login data of a user. It seems your schema design needs some more thought. A simple schema could be:
class Event (contains events)
field startDate
field endDate
field location
etc.
class Attendee (contains the users who attend an event)
If depends on your use case and how you intend to query the data - now and in the foreseeable future.
Schema:
Relation field participants in the Event class may not be scalable. The number of users an event can have is limited by the max. document size (MongoDB).
You cannot attach meta data to the participation; either someone participates or not, depending on whether they are in the relations field.
Document sizes of events can vary significantly, there may be an event with zero participation and another one with thousands of participants. This variation may be bad for performance, again depending on your use case and how you process data.
You cannot paginate through the participants list.
Security:
As I wrote above, a username is sensitive information of a user. Unless your query is related to authentication there should be no reason to query the username. The username of a user should generally not be shared with another user.
If you are using the master key, make sure (a) it’s not used client side but only server side for example inside a Cloud Function and (b) the Cloud Function is coded in a way it cannot be misused by a malicious request.