USER #4481
Labels
type:question
Support or code-level question
Comments
|
Partially. A user can't be signed up unless the current user (public generally) has access in that object's ACL. Beyond that publicly checking users keeps additional lookup features from requiring the masterKey, without divulging anything sensitive. Technically you could make that user readable by the user only, but this would be like making a hidden user of sorts, and I would imagine it might cause issues with later functionality, such as logging in (just a hunch). |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
This was referenced Jun 29, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I'm using the REST API to sign up new user and I noticed that Parse creates the ACL with a public read and objectId of the user. Why? Is there a reason behind that default behavior? If we only use the objectId of the user, that should make the record more secure, right? Maybe, it needs to be that way so Parse Server can obtain the objectId before setting up the ACL? Is there a way when signing a new user to set up the ACL for the user only (of course I don't want to make a second call to the REST API to set up the ACL).
The text was updated successfully, but these errors were encountered: