Reducing Parse Server to only Parse Cloud

Question

I'm currently using a self hosted Parse Server up to date but I'm facing some security issues.

At the moment, calls done to the route /classes can retrieve any object in any table and, even though I might want an object to be public readable, I wouldn't like to show all the parameters of that object. Briefly I don't want the database to be retrieved in any case, I would like to disable "everything" except the Parse Cloud code. So that is, I would be able to run calls to my own functions, but not able to use clients (Android, iOS, C#, Javascript...) to retrieve data.

Is there any way to do this? I've been searching deeply for this, trying to debug some Controllers but I don't have any clue.

Thank you very much in advance.

Answer 1

tl;dr: set the ACL for all objects to be only readable when using the master key and then tell the query in Cloud Code to use the MK when querying your data

So without changing Parse Server itself you could make use of ACL and only allow a specific user to access objects. You would then "login" as that user in your Cloud Code and be able to access all objects.

As the old method, Parse.Cloud.useMasterKey() isn't available in the OS Parse Server you will have to pass the parameter useMasterKey to the query you are running which should do the trick for this particular request and will bypass ACL/CLP. There is an example in the Wiki of Parse Server as well.

For convenience, here is a short code example from the Wiki:

Parse.Cloud.define('getTotalMessageCount', function(request, response) {
    var query = new Parse.Query('Messages');
    query.count({
        useMasterKey: true
    }) // count() will use the master key to bypass ACLs
    .then(function(count) {
        response.success(count);
    });
});