Using Object Pointer Field in CLP as Security for GraphQL Query Result

Parse Server 📡 GraphQL API
#1

I have a custom Item class. I have set my CLP permissions for this class to disable both general public access and general authenticated access, but it does allow user field pointer access:

item_clp
item_clp745Ă—390 20.5 KB

My Item object ACL is set to allow Read/Write access for my user zFruc41tmW only. Public Read/Write ACL access is disabled for this object.

As I understand it, these CLP settings should allow an Item object should be accessible only by the user who is set in the user pointer field for that specific Item object:

item

My user is authenticated and I am passing their session token as a header together with the graphql query in my client:

query {
  item(id: "gKTdECrXci") {
    id
    title
  }
}

I’m finding this query doesn’t work and throws an error:
"message": "Permission denied for action get on class Item."

If I allow Public Read access or Authenticated Read access in my Item class CLPs, it works, but I’d like to avoid opening my security that far. What am I missing or doing wrong here? Thanks.

#2

I found a couple of questions related to mine here and here.

If indeed I need to allow Authenticated Read access in my Item class CLPs for my query to work, I have to wonder what is the purpose then of setting a user pointer field CLP permission? It seems to have no discernible effect one way or the other.

#3

@185driver please look at the post I just made here CLP in Dashboard problem

Feel free to share any questions or concerns regarding this topic and I will answer them as soon as I can.

#4

@mess thanks for responding. I had seen your forum post earlier and your merged PR from 17 July 2020, thinking the issue in parse-dashboard was resolved. I see now that the problem remains. Your PR was merged well after the 18 Apr 2020 parse-dashboard v2.1.0 release so I guess an update to parse-dashboard integrating this fix is still yet to come.

I downgraded to parse-dashboard v2.0.4 and indeed noted that CLP permissions for the user pointer field are working there as expected. It’s good to know downgrading is an option.

I tried following the REST API instructions found here for fetching and modifying class permission schema myself but I’m not yet proficient enough to make it work. I keep getting redirected to /login and if I login I simply get back some html markup. I can see the schema in MongoDB Atlas, however, which is helpful for viewing.

#5

@185driver I am also not proficient with the REST API. However, I have used the Parse SDK to change CLPs. Below is a snippet of code showing a method that uses the SDK to accomplish the update. clp is the CLP object that Parse expects.

module.exports.updateCLP = async (className, clp) => {
    const schema = new Parse.Schema(className);

    schema.setCLP(clp);

    return schema.update(OPTIONS);
}

To get an idea on how the CLP object looks like, you can fetch the schema of a class and then look at the object in the classLevelPermissions field. That is the CLP object.

https://parseplatform.org/Parse-SDK-JS/api/2.17.0/Parse.Schema.html

#6

Thank you. I found that method in your other post too and have it working in my project. I’m thinking that your PR to fix this issue may end up being a breaking change for parse-dashboard given the changes to the schema format. Maybe that’s why it hasn’t been integrated to the v2.1.x branch yet.

My observation thus far is that it’s a little messy to update pointerFields in the CLPs “by hand” like this because:

  1. the resulting changes aren’t visible in parse-dashboard’s browser interface
  2. using setCLP() wipes out all other CLP settings for that class
  3. if you make a change using the browser method after setting pointerFields using setCLP(), the previously-set pointerFields are then blown away also.

Even so, it’s nice to be able to have the ability to fix the issue this way for now. One just needs to pay attention. Ha. Thanks again!