Make username field readable in parse server 6

valdes21 · July 25, 2023, 6:41pm

Hello guys,

I have recently upgraded from parse server 4 to parse server 6. Because user privacy is enforced from this version on I’m looking for a way for my client to access user’s name. Do I need a separate cloud function to achieve this or is there some way to remove protection for certain field (like username in this example)?

Thanks in advance
Valdes

Manuel · August 10, 2023, 4:38pm

You want a user to access other user’s usernames, not its own?

valdes21 · August 11, 2023, 10:08am

You want a user to access other user’s usernames, not its own?

Exactly. For example to show a list with all users participating at some event.

Manuel · August 11, 2023, 10:41am

There are security limitations on how the _User class can be queried. For security reasons, querying by username requires the master key, which should not be used client side.

A user should not be able to access the username of another user, as it’s part of the confidential login data of a user. It seems your schema design needs some more thought. A simple schema could be:

class Event (contains events)
- field startDate
- field endDate
- field location
- etc.
class Attendee (contains the users who attend an event)
- field event (pointer to Event class)
- field user (pointer to _User class)

Then a user can then query the Attendee class.

valdes21 · August 19, 2023, 9:15am

Hi @Manuel,

Thank you for your response. I was able to make user names readable using master key like this:

event.relation("participants").query().findAll({ useMasterKey: true });

Now I’m able to display user names of participants/attendees in the mobile app.

What are the advantages of your approach in comparison to my implementation above?

Best regards
Valdes

Manuel · August 19, 2023, 9:52am

If depends on your use case and how you intend to query the data - now and in the foreseeable future.

Schema:

Relation field participants in the Event class may not be scalable. The number of users an event can have is limited by the max. document size (MongoDB).
You cannot attach meta data to the participation; either someone participates or not, depending on whether they are in the relations field.
Document sizes of events can vary significantly, there may be an event with zero participation and another one with thousands of participants. This variation may be bad for performance, again depending on your use case and how you process data.
You cannot paginate through the participants list.

Security:

As I wrote above, a username is sensitive information of a user. Unless your query is related to authentication there should be no reason to query the username. The username of a user should generally not be shared with another user.
If you are using the master key, make sure (a) it’s not used client side but only server side for example inside a Cloud Function and (b) the Cloud Function is coded in a way it cannot be misused by a malicious request.

valdes21 · August 20, 2023, 7:03am

Hi @Manuel,

Thank you, it was very helpful.

Best regards
Valdes