-
-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
USER #4481
Comments
Partially. A user can't be signed up unless the current user (public generally) has access in that object's ACL. Beyond that publicly checking users keeps additional lookup features from requiring the masterKey, without divulging anything sensitive. Technically you could make that user readable by the user only, but this would be like making a hidden user of sorts, and I would imagine it might cause issues with later functionality, such as logging in (just a hunch). |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
I'm using the REST API to sign up new user and I noticed that Parse creates the ACL with a public read and objectId of the user. Why? Is there a reason behind that default behavior? If we only use the objectId of the user, that should make the record more secure, right? Maybe, it needs to be that way so Parse Server can obtain the objectId before setting up the ACL? Is there a way when signing a new user to set up the ACL for the user only (of course I don't want to make a second call to the REST API to set up the ACL).
The text was updated successfully, but these errors were encountered: