Security issue with default _User class permissions (new apps only)

[jamiechapman]

I have recently noticed that a new parse-server project (i.e. one that hasn't been migrated from hosted Parse) has a security issue with the _User class.

Essentially parse-server creates the _User in the _SCHEMA collection, but it doesn't default to locked down _metadata permissions — thus exposing the entire user base with a simple new Parse.Query("_User").find() query.

I propose that when the _User class is created, we lock it down automatically. If I have time I'll try and add a fix for this, but I thought I would highlight it asap to prevent any undue security issues with new apps using parse-server.

[drew-gross]

Thanks for the note! Fortunately this only affects new apps, so any migrated apps won't be vulnerable to new security issues. A PR would be very much appreciated :)

[flovilmart]

@drew-gross I can take care of that one too.