update user without session token

[jobrienski]

trafficstars

You should be able to update a user without a session token if you are using the master key right? Two questions there:

1. If so, should we change the check on update user to not require sessionToken?
2. How do we set it so that the code uses the master key only when doing parse operations? Thanks, -jim

[andrewscofield]

Sorry for just getting back to you on this, been busy lately.

I think you'll have to show me in the docs where it says you can update a user with a master key, I can't find it anywhere. I only see mention of the master key being used for superseding/ignoring ACLs. But I assume its there, I just don't see it, so I'll try to answer the questions:

I think for public facing APIs this option has some potential security issues. Instead of needing a the session token to update a user, somebody with malicious intent would only need to figure out how to trigger our code to use the master key instead of the session token. I think a better way to do a 'master override' for updating a user should be a special function of the parse api. Developers would be encouraged to only use that function for calling from php (i.e. cron job).

So, if a user is requesting a change to their account it shouldn't be a problem on the client side to retrieve a session token. However I think you are right, we do need the ability to easily update a user account without to essentially side load things from a crob job or another non-user initiated event.

My vote would be a new function in the user class to do this, it would be a quick one to write too... but I'll need to see the docs where this is possible :) If its not, I think we need to propose it to the parse.com team.