It appears that the ParseFile does not have an ACL, or put another way, once the URL of the ParseFile gets out in the wild, the file is available to anybody who can make a GET http request.
I hope I'm missing something in the documentation, because this does not sound like a great idea. As best as I can understand it, this means that the URL is "protected" only by the ACL of the ParseObject that holds the reference to the ParseFile.
Perhaps it's relevant to know that I'm reading/using the .NET+Xamarin bits.
I think you've summed it up best yourself:
"protected" only by the ACL of the ParseObject that holds the reference to the ParseFile
If someone does happen to know your url for that particular file then kudos to them, because they are uniquely created, just like objectId's:
.. containing the name of the file, which is the original file name prefixed with a unique identifier in order to prevent name collisions. This means you can save files with the same name, and the files will not overwrite one another...
So in other words, the last path component will always be unique:
tfss-db295fb2-8a8b-49f3-aad3-dd911142f64f-airlines.txt
Even if you re-upload a new airlines.txt document:
tfss-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx-airlines.txt
To summarize ACL:
An ACL, or Access Control List can be added to any Parse.Object to restrict access to only a subset of users of your application.
So according to Parse, it's purposes are intended for the object itself, not specific parameters of that object. As of now, they do not support say, setting a specific read/write ACL on the objects 'Title' column or 'Email' column or a specific column type, the ACL's are object or User dependent.
For those that are interested in reading more about Parses ACLs can see their resource here: http://blog.parse.com/learn/engineering/parse-security-i-are-you-the-key-master/
Related
My code (view) So far everything is working well when am accessing a folder(uploads) withing the root, but i would like to access a folder located in a different location withing the same server without showing sensitive information in the url when the image loads.
<img src="<?php echo base_url('/uploads/'.$popular_car['img_path'])?>" class="card-img-top"
style="height: 150px;"></div>
There's many alternatives. Most will involve some sort of database use. This is what I do (greatly summarized)
Every file that will need to be accessed has a record on a table. The record has a primary id, a secret random token and the path to the file. The table is indexed by both the primary ID and the token.
On the URL I get something like base_url('controller/file_access/).$id.'/'.$token. Upon receiving the request, I'll check the files table, if there's a match for both parameters, I'll stream the file to the browser. This way of doing things, albeit a little bit more complicated, has two main benefits:
1.- it prevents a user to just try different numeric IDs and see what is displayed. Since IDs are numeric and autoincrementing, all you'd need to do is looping from 1 to 100000 and download all files. Adding the token and querying the table with both parameters greatly reduces the risk of someone getting a file he/she's not intended to.
2.- it obscures the real location of the file, as streaming it to the browser in this way looks (in the eyes of the browser) as being located in example.com/controller/file_access/id/token but the real or relative path to the image remains hidden and non-accessible from the web.
Using this as a base you can add a lot of logic on top of this depending on your needs. You could also have an "allowed_user" field in the table if files are private and/or user-specific so that you don't stream the file if the user is not allowed to see it (even if he has the correct ID/token combination).
This is just a rough description of what I do on a couple of sites. Take it as the theoretical foundation you can build on.
New to Parse, coming from Google Firebase, I am not able to completely wrap my head around the security aspect of the platform, let alone write some code. From Firebase, I'm used to writing security rules, by defining conditions that need to be met for certain actions to be allowed (such as: allow write if owner field of post is equal to the current users uid).
So how would I solve following problem? I have an object Post containing properties title, content, owner, public.
Allow reading under following conditions:
if public == true
or currentUser matches field owner
Allow writing if currentUser matches field owner.
Is there a way to implement this? I have found a solution to restrict writing using Cloud Functions, although I am certain there must be a better way.
Thanks in advance!
I'm studying different technologies to create an API for a multi plateform application. This application has to give the possibility to users to share a file with a friend without authentication, but the URL has to be unguessable so the file keep secret. Juste like sharing picture feature in google photos.
Spring boot is one of the most interesting framework to create a multi plateform API, but I'm wondering if it's possible to create a secret and unguessable URL.
Thank you for your time.
To answer your question : you can organize your URLs path with some random hard-to-guess part (eg https://hostname/fileshare/Zak/myVideos/295223cb464d4e4794b93a09a1c730fd) UUIDs are 128 bits data and pretty much standard.
Another way would be to add a checksum token in the queryString :
https://hostname/fileshare/Zak/myVideos/lolcat.mp4?h=187515ZEDwhere the token is generated from the url path (and possibly even the queryString) with some secure algorithm (for exemple hmac256) and have your Controller (or better, a Filter) check if the h parameter is indeed equal to the hashed path.
EDIT : further explanation :
I'm assuming you've already got (or at least intend to have) a controller capable to serve content based on a file system directory. In my previous example, I assumed something of the likes /Zak/myVideos/. Spring controllers can easily return files in this directory by their filenames, but if the filename are easy to guess (eg video.mp4), I understand that /Zak/myVideos/video1.mp4 would be vulnerable. That's why I suggested to use UUIDs.
How to use UUIDS ?
If you can rename the files in /Zak/myVideos, simply rename them by random UUIDs and it will work transparently. The drawside to this is 1) the filenames won't mean anything anymore and 2) you're maybe not able to rename those files.
You can also have a DB table referencing filenames and UUIDs, and simply have your controller call a service to retrieve the correct filename from the correct UUID. The drawside to this is that you'd need to have a DB and write some code (and slow down API calls to query the DB).
That's why I also suggested to simply use a token. The url would still be the litteral path to your file, but require an additional parameter (the token) in the queryString. A servletRequestFilter could check whether the token is valid or not (with a simple hash + check algorithm) before granting access to the controller serving the file. This way, you won't need to rename your files nor create a DB.
I wanted to create a new option in the Data Browser (just like the "username", "password", "authData"...fields), to hold a monetary value for my game. So a new field called "money" that will hold a value.
However, I'm not exactly sure how to go about doing so.
I took a look at the documentation and found things like .add but I wasn't sure exactly what was going on in the code.
Does anyone know a way to do this?
In the data browser, there is a "+ Col" button which allows you to add another field to your class. You can then set the name of the field and it's type.
You can also do this from their SDK's by simply setting the field, even if you have not added it via the data browser.
Here is what the Parse docs say regarding this:
Storing data through the Parse REST API is built around a JSON encoding of the object's data. This data is schemaless, which means that you don't need to specify ahead of time what keys exist on each object. You simply set whatever key-value pairs you want, and the backend will store it.
Source: https://parse.com/docs/rest#objects
For example, I have a field that give user to type their domain, the user can type any domain on this, but I don't valid this domain is belong that user. Of course, I can generate a random number text file for user to upload, and when I get the random number text file, if it is match, I can just treat it as a valid domain holder. But, except from this method, is that anyway to do so? Thanks.
Options I have seen:
Have user Create a Text file in document root, check for it
Send Email to contacts listed in whois (Or other ROLE type accounts (postmaster, hostmaster, etc...), with token they need to
return
Have them create an 'A' record in their DNS that is unique and you can query for.
There really isn't any other way of telling if they have control over the domain. Using whois information isn't 100% accurate as people don't update it, or their info isn't registered to them, or is hidden behind something like domains by proxy. There is no standard information in DNS, that can tell you ownership. Since google uses the DNS method and the text file method (I think), you can probably safely assume that is a good way to verify it.