Security issue with default _User class permissions (new apps only) #387
Labels
type:bug
Impaired feature or lacking behavior that is likely assumed
Comments
jamiechapman
changed the title
drew-gross
added
the
type:bug
|
Thanks for the note! Fortunately this only affects new apps, so any migrated apps won't be vulnerable to new security issues. A PR would be very much appreciated :) |
|
@drew-gross I can take care of that one too. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I have recently noticed that a new parse-server project (i.e. one that hasn't been migrated from hosted Parse) has a security issue with the
_Userclass.Essentially parse-server creates the
_Userin the_SCHEMAcollection, but it doesn't default to locked down_metadatapermissions — thus exposing the entire user base with a simplenew Parse.Query("_User").find()query.I propose that when the
_Userclass is created, we lock it down automatically. If I have time I'll try and add a fix for this, but I thought I would highlight it asap to prevent any undue security issues with new apps using parse-server.The text was updated successfully, but these errors were encountered: