Using create<ClassName> Mutation

I have a custom Class called Item. I would like to use Parse’s auto-generated createItem GraphQL mutation to add an item for the currently logged in user.

I have my Item class security set as follows:

  • CLP: Public Read/Write is disabled; Authenticated Read/Write is disabled; a pointerField for an Item user field is set.
  • ACL: Not applicable for a create operation.

For security reasons, I don’t wish to open my Item class to Public or generic Authenticated access, so my createItem mutation is failing at the CLP level. Under the circumstances, it feels like my only alternative is to not use the createItem mutation and to instead create a custom schema mutation with a Cloud Code resolver that bypasses my CLP security via use of the useMasterKey prop.

My question is this… Is there is another way around this situation so that I can use the built-in createItem mutation as desired?

I understand that the pointer field has write access, right? I believe you will be able to use the auto mutation if you use the current user session token and set this field to the own user object. Could you share the clp that you have in place for this class and also the graphql query that you’re trying to use?

Indeed the pointer field has write access. I ended up finding a couple of good explanations for this create object scenario over on the parse-server GitHub, one of which was answered by you and BufferUnderflower starting here.

So, no joy on a pointer field being sufficient permission to create an object, but because I already have a beforeSave trigger that sets a user pointer on my created objects, I just needed to go ahead and add requiresAuthentication: true for create on the Item CLP.

All good, thanks.

1 Like