I am building a mobile app and I use parse server as back end. I use cloud code for accessing parse database. Nobody needs to direct access to database. All data related operation done by cloud code api access. I deleted all custom classes' CLP permissions for all users and set correct permissions (Get and Create permissions granted, rest of them revoked) for _User class as documented. But I can't find any documentation about _Installation, _Session and _Role system created classes. How should I set CLP permissions for _Installation, _Session and _Role classes to secure the app and whole system. Thanks
Related
Is it possible to disable requests sent to Parse without a master key? I'd like to only access Parse through my custom backend and not give users direct access. Does public 'read' set on the User class mean that anyone can read the records in that class? If so, why is this a default - wouldn't that be against good security practices?
Thanks,
Daniel
Public read means that anyone with your api key can read the user collection from your parse server. Api key is not the best approach to protect your app because anybody can know it by putting "sniffing" your network requests.
In order to protect and provide access you can protect your objects with ACL's which allows you to create access for specific user (who is logged in) or to specific role. So you have couple of options:
Create a master user - each user must have username and password and when you create your parse objects make sure that only this specific user create/read/delete and update them. You must only to make sure that when you create an object you create ACL for this user so only this user will be able to modify and read the object. You can read more about parse-server security and ACL's in here: http://docs.parseplatform.org/rest/guide/#security
Using parse cloud code - In cloud code there is a nice feature of useMasterKey which provide full access to any object of parse-server so for each operation that you run (via JS SDK) you can also set the useMasterKey to true and then parse-server will ignore all the ACL's and will execute the query for you. The useMasterKey feature work only in cloud code context so it's safe. If you want to provide additional level of security you can run the cloud code function with your master user (from section 1) and check inside the cloud code for the user session so if the session is empty then you can return an error.
You can read more about cloud code in here: http://docs.parseplatform.org/cloudcode/guide/
This is the code which validate the user session:
if (!request.user || !request.user.get("sessionToken")) {
response.error("only logged in users are allowed to use this service");
return;
}
I want to supply my users a Dropbox access token trough my Parse server.
For the one who don't know, Dropbox access token is a string that supplies direct access to a dropbox account files, it should be secret, because if anyone finds it he can delete all the files.
My server should store many access tokens and it should supply the user the correct token, but the problem is that because the anonymous log in i'm afraid that if someone will know the parse server key, he could get all the secret dropbox access tokens.
In first place i supply the access tokens in server for security reasons and not put it hard coded to protect it.
But what's the difference if i put the parse key hard coded?
Is there a way to handle this?
thanks.
Yes you are correct. If somebody knows your ApiKey he can query your parse server without any problem unless you use ACL
ACL is access control list which allows you to decide (on the application level) which users/roles can read or write to one or more parse objects or parse users. In runtime Parse will check if the logged in user has an access to read or write the object and only if it will have an access it will return the results to the client.
So i suggest you to protect your users/tokens with ACL's if you like to protect only the access tokens then i suggest you to create a separate class that will store the user access token and in this class you need to create an ACL for the relevant user only.
You can read more about ACL's in here:
iOS SDK
Android SDK
JavaScript SDK
Is it possible to get data of an object/user on Parse.com, if the objectId of the ParseObject is known? I want to know about it as a security concern, if it is possible for some other app to access objects from my app if the objectId is known?
It doesn't matter what you have, if you're not on the ACL, you can't pull the data. Make sure you're setting your ACLs up properly to protect your data. Parse's docs are pretty decent in this regard:
https://parse.com/docs/ios_guide#security-recommendations/iOS
If you don't have any ACLs setup then everything defaults to Public Read/Write. This means YES. Another client would need access to your parse keys, but if they were able to find this, they would be able to access anything that isn't protected.
I have an iOS app which writes the the Parse datastore. I also have a webpage which i would like to have read-only access to that same data. I've read that this is possible, but cannot find the place in the data browser where this can be set. It'd be ideal to have readonly access for the web client to all classes but one (which will just log the visit). Is that possible?
You could do this with Roles, simply assign all validated users that login through the iOS app to a role, e.g. "Registered".
Now on each class, set the permissions to prevent Create/Update/Delete except for the "Registered" role.
The web site by default will not be logged in, so will not have a user/roles so will be denied Create/Update/Delete rights.
I am working on a Grails project that protects resources using Spring Security ACL plugin.
This application also allows resource owners to delegate permissions to other users and those users can further delegate their permissions to other users in viral fashion.
This works fine with standard Spring ACL API, but now I have new requirements:
Track who granted/delegated the given permission [User should be able to
see his/her permissions on a given resource as well as all other users
permissions that he/she delegated for that resource].
Control viral delegate by grantee by setting a flag to indicate if
this permission can be further delegatable.
I am planing to support those requirements by adding two additional fields [ 1. grantee (SID) , 2. isDelegatable ] to ACL_ENTRY table.
I wonder if it will impact any of the Spring ACL core functionality. How can I access those fields using standard Spring ACL API? Can I cast to custom Permission object and access those extended fields?
We are also planing to support time based expirable Permissions which are only applicable during given start and end time frame. where should I add this validation logic so that hasPermission() method call consider the time validity of the granted Permission?
Please advice.