Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve default Parse.User security #7292

Closed
3 tasks done
dblythy opened this issue Mar 22, 2021 · 3 comments
Closed
3 tasks done

Improve default Parse.User security #7292

dblythy opened this issue Mar 22, 2021 · 3 comments
Labels
type:feature New feature or improvement of existing feature

Comments

@dblythy
Copy link
Member

dblythy commented Mar 22, 2021
edited
Loading

New Feature / Enhancement Checklist

Current Limitation

By default, when a new user is created, it will have public R, unless overriden by a cloud function.

Feature / Enhancement Description

Currently, to secure users, you need to create a cloud function. In my view, the reverse should be the case - that by default, the Parse.User ACL is R+W false, and if you want the "old" functionality, you should use a cloud function.

The changelog would be:

Breaking Change: Parse.User now defaults to public R false on signup. To achieve public read on sign up, use a cloud trigger:

Parse.Cloud.beforeSave(Parse.User, ({object}) => {
  if (!object.existed()) {
    const acl = new Parse.ACL();
    object.setPublicReadAccess(true);
    object.setACL(acl);
  }
});

Alternatives / Workarounds

Create a cloud function to prevent public R access on signup. It's my view this should be reversed - a cloud function shouldn't be needed to secure the user class.
@mtrezza
Copy link
Member

mtrezza commented Mar 22, 2021
edited
Loading

Thanks for suggesting.

From a security perspective we want to move towards a strict default, so your suggestion to change the default makes sense.

As we are moving towards phased depreciation, before this would become a breaking change, the following would need to be implemented:

  • A Parse Server option that allows to define whether a new User should be public or private with the default being public (status quo)
  • A "default deprecation warning" that the default will change in a future version (PR for this is in the works to standardize and centralize these deprecation warnings)
  • A Security Check that if the option is public (by default or explicitly set) it constitutes a weak security setting.
  • A new Parse Server release needs to be published (planned for the coming weeks)
  • Not earlier than 12 months after the new release has been published (6 months normally, but for this first release following the new versioning system, we give developers more time to hop on the new release train and upgrade), the default can be changed and the deprecation warning removed. Depending on developer feedback, the deprecation may be further postponed.

@mtrezza mtrezza mentioned this issue Mar 22, 2021
Closed
18 tasks
@dblythy
Copy link
Member Author

dblythy commented Mar 24, 2021
edited
Loading

Awesome, thanks for the detailed write up. This will be a good way to show the depreciation policy, considering it will only change a few lines of code. I’ll submit a PR shortly.

@mtrezza mtrezza mentioned this issue Mar 26, 2021
Merged
7 tasks
@dblythy dblythy mentioned this issue Apr 4, 2021
Merged
5 tasks
@dblythy
Copy link
Member Author

dblythy commented Oct 8, 2021

Closed via #7319. On master, if you set enforcePrivateUsers to true, users ACL won't have public read on signup.

@dblythy dblythy closed this as completed Oct 8, 2021
@mtrezza mtrezza added type:feature New feature or improvement of existing feature and removed type:improvement labels Dec 6, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type:feature New feature or improvement of existing feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dblythy @mtrezza