Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make requests from cloud code function as requesting user #1773

Closed
3 tasks done
JeremyPlease opened this issue May 12, 2016 · 2 comments
Closed
3 tasks done

Make requests from cloud code function as requesting user #1773

JeremyPlease opened this issue May 12, 2016 · 2 comments

Comments

@JeremyPlease
Copy link
Contributor

JeremyPlease commented May 12, 2016
edited
Loading

Environment Setup

  • Server: v2.2.9, OSX, local
  • Database: mongodb 3, local

Steps to reproduce

  1. Create a class with CLP that only allows one role to create.
  2. Create a user and add to said role.
  3. Run cloud function that creates an object on the class.
  4. Get an error of {code: 119, message: "Permission denied for this action."}

If I use .save(null, { sessionToken: req.user.getSessionToken() }) then the save works, however I would like all saves and queries in cloud code functions to use the requesting users session.

A quick work around I've implemented is to override the Parse.Cloud.define function like so:
EDIT: Don't do this. It's bad. Technically this overrides the global Parse JS SDK REST request function on every cloud request. If multiple requests come in at the same time and then handle other requests in promises, the most recent session token will be used on all requests

var originalDefine = Parse.Cloud.define;

Parse.Cloud.define = function(name, originalFunction) {
  var newFunction = _generateFunction(name, originalFunction);
  originalDefine.apply(this, [name, newFunction]);
}

function _generateFunction(name, originalCloudFunction) {
  var newFunction = function(request, response) {
    // Override Parse RESTController request to set token
    var token = request.user.getSessionToken();
    var RESTController = Parse.CoreManager.getRESTController();
    var originalRequest = RESTController.request;
    RESTController.request = function() {
      var options = arguments[3] || {};
      options.sessionToken = token;
      return originalRequest.apply(this, arguments);
    }
    return originalCloudFunction.apply(this, arguments);
  };
  return newFunction;
}
@JeremyPlease JeremyPlease mentioned this issue May 13, 2016
Closed
@mbilling
Copy link

This is the way that cloud function should have been implemented. But it's documented that you should set sessionToken on all calls to api. See https://github.com/ParsePlatform/parse-server/wiki/Compatibility-with-Hosted-Parse

You should request a pull. I'm sure that it would get accepted. Since it matches how the whole parse.com documentation is written

@JeremyPlease
Copy link
Contributor Author

@mbilling I spent some time looking into this and I've determined there's no viable way to automatically use the requesting user's sessionToken in all requests made from a cloud function.

The cloud functions in the open source Parse Server use a global Parse object (which is the Parse JS SDK) for requests (creates, reads, updates, and deletes). Therefore, if you set a current sessionToken or current user on the JS SDK, then all subsequent or concurrent requests will be made with the most recently set sessionToken.

The only solution to this issue is to include the options { sessionToken: req.user.getSessionToken() } on any and all requests in cloud code that should be made as the requesting user.

@snyk-bot snyk-bot mentioned this issue Jul 26, 2020
Merged
@snyk-bot snyk-bot mentioned this issue Jan 29, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@JeremyPlease @mbilling