parse-server icon indicating copy to clipboard operation
parse-server copied to clipboard

Published 20 hours ago verified publisher icon parse-community

Add method to get all roles of a `Parse.User`

Open jaysonng opened this issue 3 years ago • 6 comments
trafficstars

New Feature / Enhancement Checklist

Current Limitation

Currently, to get what Roles a user has been assigned, you would need have your own method either to run a query to get Roles the current user has.

Feature / Enhancement Description

I'm hoping that we have a getUserRoles method on the Parse.User object where we can just call the currentUser object and receive an array of Role objects the user has been assigned.

Example Use Case

let currentUserRoles = currentUser.getUserRoles()

Alternatives / Workarounds

Currently, we have to make our own method to run the query like so

Parse.Cloud.define("getUserRoles", async (request) => {
	const { user } = request
	
	return await new Parse.Query(Parse.Role).equalTo("users", user).find({useMasterKey:true})
}, {
    requireAnyUserRoles: ["admin"]
})

3rd Party References

none that I can think of.

jaysonng avatar Aug 09 '22 08:08 jaysonng

Thanks for opening this issue!

  • 🎉 We are excited about your ideas for improvement!

parse-github-assistant[bot] avatar Aug 09 '22 08:08 parse-github-assistant[bot]

It looks pretty simple to implement. What about security though? Maybe a user should not always now which roles they are a part of. How is that currently restricted? A user can only know their role, if they are added to the role's ACL to query the Role class, correct?

mtrezza avatar Aug 09 '22 10:08 mtrezza

from how I understand it, if we wanted to restrict the user knowing what Roles he has, it should be fixed by editing the ACL or CLP of Roles should it not?

Then running this method will return what Role he has access to or a blank array.

A user can only know their role, if they are added to the role's ACL to query the Role class, correct?

yes. Developers should definitely setup the ACL like all the other classes for security reasons.

jaysonng avatar Aug 09 '22 14:08 jaysonng

That means your "workaround" with useMasterKey: true would not be applicable. For a broad application I guess the feature should forward useMasterKey parameter to the query. So that internally it can be used to retrieve all roles, or the user can request it according to the ACL.

Something like:

class Parse.User {
  async getRoles({ useMasterKey, ... }) {
    return new Parse.Query(Parse.Role).equalTo("users", this).find({ useMasterKey });
  }
}

mtrezza avatar Aug 09 '22 18:08 mtrezza

sorry yeah, that code I have is what I use now for my use case and on CloudCode.

Definitely need to change it to something else that will work for more people.

jaysonng avatar Aug 10 '22 09:08 jaysonng

Isn’t this a JS SDK issue/feature?

dblythy avatar Aug 30 '22 14:08 dblythy