[PROPOSAL] Add a Default User Role

[benishak]

Is there a way to have a User Role by default ?
Imagine you have a class called Activities and you want to let only logged in to Users create objects in that class but only the user himself can delete or update his/her own object that he/she created.

The issue here we have to allow the (Public Create) in the CLP, which makes everybody can add a new entry in the class, but thanks to ACL only the user can delete or update his/her object, which is fine.

Expected Behavior:

• CLP Public Create should not always be allowed in order to let User create object

Workaround for now

• Create a new Role User and add a relation that add all users from the User class
• Disallow CLP Public Create
• Add a new Row in the CLP for User Role and enable Create for it

This is only example, this can apply for any other operation such delete

Here example with delete operation that doesn't work cause of CLP when Public Delete is not checked

• User create an object in the activity class
• This Activity has ACL set to [Public Read, Write : user_id]
• User try to delete that object by calling object.destroy() or object.delete() while CLP Public Delete is not allowed
• User get Permission Denied

workaround in this case

• in BeforeDelete server need to call Parse.Cloud.useMasterKey() <- Bad idea!
• Create a cloud function deleteObject which take the objectId and className of the object

Parse.define('deleteObject', function (req, res) {
     var Object = Parse.Object.extend(req.params.className)
     var object = Object.createWithoutData(objectId)
     // if you want you can call object.fetch() or just do
    object.destroy( { useMasterKey : true }).then( // handle responses );
    // for more security you can use sessionToken
    // object.destory({ sessionToken : req.params.sessionToken }).then( ... ) <- I didn't test this yet
});

• Call that function from the client

[flovilmart]

You can use a pointer permission in the CLP for that, the Pointer Permission would be read write for the user column and read only for the other.

There is also that PR that adds logged in user as a CLP: #893

[benishak]

Awesome, so we will see this in 2.3.0!
Sounds good
I updated the post for more scenarios and workarounds!

Cheers

[flovilmart]

#893 has been merged, and I believe this will address your scenarios right?

[flovilmart]

ping @benishak

[ananfang]

I have a scenario that can not be implemented in current parse-server. If there is a default User Role like @benishak described, it could be worked.

Private Account like Instagram scenario:
If you turn the Private Account on in Instagram, your all photos will not be public read, but your followers can read them.

Here is my assuming implementation using parse-server:

1. There is a User Role (include all users)
2. There are Follower Roles for each user. Each Follower Role contains:
   2a. users: all followers
   2b. roles: User Role

Then if user turn the Private Account on, we can just remove User Role from Follower Role. On the other hand, if your turn the Private Account off, we just add User Role back to Follower Role.

[flovilmart]

Not sure why you need that, there is now the requireAuthentication CLP, which basically let you restrict access to only logged in users.

[ananfang]

@flovilmart
For example, there is a class Photo, every user can create photo just like Instagram.

There is a feature called Private Account. If any user turn this on, his/her photos will be queried only if the request is from his/her followers.

There is a workaround way currently, ACL of all photos from one user are public read while Private Account is OFF. If Private Account is ON, disable all photos public read and set read access for a Role called 'followersOf(userId)' contained all followers of this user.

The cons of this workaround is we need to fetch all photos from this user while he / she switch Private Account ON/OFF, and change these photos' ACL.

Ps. It could not be done by the requireAuthentication CLP, because it should affect just some specific users' photos, not all objects in Photo class.

[flovilmart]

the default User Role would not solve it either. I understand what you're trying to achieve, let me think of something.

[benishak]

requiresAuthentication feature looks awesome!