afterFind hook don't fire on 'create' event of live query. #4241
Comments
|
You should implement afterSave/beforeSave to intercept objects on creation. |
|
my goal is not to intercept object in creation and i need to send the data to the client without changing it the DB because it do some tests and decide to change it or not and it does not change the data always so i need the data intact in the DB. |
|
It's not supported at the moment. |
|
but afterSave fire and do it's work on each of 'find' and 'get' method of the query object and 'update' 'delete', 'enter', 'leave' events of the subscription object of liveQuery so what you are saying it is not implemented for 'create' event? |
|
the cloud code hooks are not related to liveQuery, afterFind should only trigger for a query or a fetch, not when a new object is created because well, that's not a find. What I am saying now, is that there is no official way to mutate data before it's flushed out to liveQuery, and probably this could be implemented one way or another. |
|
ok i tried to use 'onLiveQueryEvent' trigger but it does not fire on 'create' event |
|
no it doesn't it only traces connections / subscription and is not designed to let you modify the content of the response either. PR are welcome. |
|
any idea on how i can change the 'create' event so i be able to change the response. |
|
At the moment, it’s not supported but feel free to open a PR to add the support for this. |
|
@flovilmart Does this mean that it's insecure to use afterFind to strip out / modify fields as someone could potentially just subscribe to the object to get the full data? |
|
Yes that’s what it means |
|
Okay. Is there any way to strip out fields for classes other than "_User" then? Or is it best to just use a new class with ACLs? |
|
feel free to use the way you think is best |
|
Thanks @flovilmart. I might have a look at working on a PR. I think it's worth highlighting either in the cloud code docs or the LiveQuery that after find triggers aren't always honoured. In my case, it means I'll be reworking my classes instead of using the afterFind. |
|
@dblythy You can also perhaps open a PR to fix it for every one which would be the ‘nice’ thing to do. Also I closed your issue because you cannot disclose potential security issues this way, as it is stated, in the issue template you used. This is irresponsible as you are putting many developers and potentially millions of users at risk. |
|
Okay no worries @flovilmart. I'll work on a PR for the security issue first. |
|
Thanks! |
I'm using the latest version of parse-server.
I implemented afterFind hook in the parse server to intercept some data and modify it before it goes to the client like so:
Parse.Cloud.afterFind('Question', function(req, res) { //change the data res.success(result); })everything work fine in the client for find and get of the query object, update delete enter leave events of the liveQuery while data come modified, except for the create event of the live query the data comes raw without been modified.
So is that an issue or it is designed to work like so and is there a work around this.
The text was updated successfully, but these errors were encountered: