parse-dashboard
parse-dashboard copied to clipboard
parse-community
Session ACL is "Public RW" while its protected
New Issue Checklist
- [x ] I am not disclosing a vulnerability.
- [x ] I am not just asking a question.
- [ x] I have searched through existing issues.
- [ x] I can reproduce the issue with the latest version of Parse Server.
Issue Description
ACL for the Session class says Public Read and Write for all rows which is confusing for developers.
Parse docs explain that ACL should be set to a role or a user id in order to be protected.
Session Class seems to be protected under the hood but the UI says Public Read and Write in the ACL column which we should fix.
Steps to reproduce
Spin up a server and login a user.
Actual Outcome
All rows in Session class has ACL set to "Public Read and Write"
Expected Outcome
Environment
All rows in Session class should have ACL set to userID
Server
- Parse Server version: latets
- Operating system: mac
- Local or remote host (AWS, Azure, Google Cloud, Heroku, Digital Ocean, etc): local
Database
- System (MongoDB or Postgres): mongo
- Database version: not sure
- Local or remote host (MongoDB Atlas, mLab, AWS, Azure, Google Cloud, etc): local
Client
- SDK (iOS, Android, JavaScript, PHP, Unity, etc): JS
- SDK version: latest
Logs
Thanks for opening this issue!
- 🚀 You can help us to fix this issue faster by opening a pull request with a failing test. See our Contribution Guide for how to make a pull request, or read our New Contributor's Guide if this is your first time contributing.
![parse-github-assistant[bot] avatar](https://avatars.githubusercontent.com/in/136195?v=4 "Published by a pub.dev verified publisher"){kind=small}
Yea exactly I realize now it’s not the correct repo for this issue - I can move it to the dashboard repo?
Are you referring to the dialog below? If yes, what are the changes you propose?
It doesn't say "all fields", so the information is at least not incorrect. But as I understand from your issue, it doesn't mention that _Session is a special class that has some access limitations built-into Parse Server. Since these limitations can change anytime on the server side, I don't think a specific message should be built into Parse Dashboard. The message would become incorrect, when using a different version of Parse Sever or just a different server configuration.
No I am referring to the ACL column. It says "Public Read and Write" for all rows.
Each user can only get Sessions belonging to them.
Therefore the UI should say userId for each row and not Public Read and Write
I understand that _Session is a special class, but our developers ask us to explain why ACL is set to public RW (they are worried all their user sessions are public) and we have to explain to them that it's a special class etcetc
It's confusing don't you agree?
Therefore the UI should say userId for each row and not Public Read and Write
Yes, I guess that makes sense. Do you want to open a PR to fix this?
You could start by investigating in Parse Dashboard why it is displayed as "Public Read + Write", i.e. what the server response is and how that is interpreted by Parse Dashboard to display the "Public Read + Write". This may indeed be a Parse Server issue, because I assume the server should already send the correct ACL, which maybe should be the user ID, as you suggest.