Summary
@jduskes-mogiletech raised a concern in PR #10279 (comment: #10279 (comment)) that the refactor of handleMe in src/Routers/UsersRouter.js may introduce a breaking change.
Claim
The Parse Platform REST guide (Security Edge Cases) documents that the /parse/users/me endpoint intentionally bypasses the Class-Level Permission (CLP) "Get" setting, allowing a logged-in user to always retrieve their own data regardless of CLP configuration.
What changed in PR #10279
Before the PR, handleMe fetched the user via { include: 'user' } using the master key context, which bypasses CLP entirely.
After the PR, handleMe re-fetches the user via rest.get using the caller's auth context, which causes CLP, protectedFields, and auth adapter afterFind hooks to be applied. This means if the _User class has a restrictive "Get" CLP (e.g., set to Master Key only or no access), a valid session holder may no longer be able to fetch their own data via /users/me, which is a behavioral regression.
Action Required
References
Summary
@jduskes-mogiletech raised a concern in PR #10279 (comment: #10279 (comment)) that the refactor of
handleMeinsrc/Routers/UsersRouter.jsmay introduce a breaking change.Claim
The Parse Platform REST guide (Security Edge Cases) documents that the
/parse/users/meendpoint intentionally bypasses the Class-Level Permission (CLP) "Get" setting, allowing a logged-in user to always retrieve their own data regardless of CLP configuration.What changed in PR #10279
Before the PR,
handleMefetched the user via{ include: 'user' }using the master key context, which bypasses CLP entirely.After the PR,
handleMere-fetches the user viarest.getusing the caller's auth context, which causes CLP, protectedFields, and auth adapterafterFindhooks to be applied. This means if the_Userclass has a restrictive "Get" CLP (e.g., set to Master Key only or no access), a valid session holder may no longer be able to fetch their own data via/users/me, which is a behavioral regression.Action Required
/users/mebypasses "Get" CLP.afterFindhooks while still bypassing CLP for/users/me.References