Web Niraj
  • Facebook
  • Flickr
  • Github
  • Linkedin
  • Twitter
  • YouTube
Online portfolio, code examples and developer blog
  • About
  • Contact
  • Portfolio
  • WordPress
Search the site...
  • Home
  • Blog
  • Securing Your Parse.com Database and Using PHP to Override ACL

Securing Your Parse.com Database and Using PHP to Override ACL

10

After discovering some of the insecurities of using Parse.com to store data, I’ve been researching techniques to use to make applications more secure. I’ve discovered a number of ways to help secure your data and protect personal information stored in your database through settings and server-side code. If you use the JavaScript SDK to connect to Parse, some of these techniques are critical to secure your app.

Easy Win – Secure Your Classes

If you are running the JavaScript SDK on a production application, whether mobile or web-based, there are two quick wins to help secure your data.

Disable Class Creation

In order to stop people creating classes in your database (as I did in my previous article), you should turn off Class Creating. The setting can be found under [Settings] > [General Settings] > [App Permissions].

Parse.com_-_Disable_Class_Creation

Set Class Level Permissions

If you want to stop users from accessing, creating or deleting data, you can set class-level permissions quite easily through the Parse.com Data Browser. For example, you may want to allow creation so users can register to your app, but you will want to disable deletion, so user data cannot be erased. Class-level permissions can be set by going to [Data Browser] > Select a Class > Click the [More] dropdown > Select [Set permissions].

Parse.com_-_Accessing_Class_Permissions

In general, you should disable Delete and Add fields permissions for all classes. If you need the user to be able to delete rows from your Classes, you should use the ACL functionality to give the user permissions to delete only certain data. If you don’t need users to be able to access other users’ data, you should also disable Get and Find – these are crucial to keeping email addresses, usernames and other details stored in the default User class private.

Parse.com_-_Disable_Class_Permissions

The JavaScript user.logIn and user.signUp functions will continue to work even if Get and Find are disabled.

Overriding ACL using PHP

If you set restrictive permissions, either using ACL or class-level permissions, you can override these using server-side code and the Master Key. The unofficial PHP Parse library can be used to access your Parse database in a secure way, allowing you to delete data, for example.

Unfortunately, the documentation for the PHP library isn’t very good, so I’ve included examples of how to access, create or find data using the PHP library:

Using PHP to Remove Sensitive Data

Setting ACL on objects is your best defence to protect data and malicious behaviour, however, Parse’s ACL functionality is somewhat limited. While you can protect an entire row from read or writing, you cannot yet protect individual columns. For example, I cannot open up the default User class to all users, but to hide sensitive data (like email addresses) from everyone. It’s either all or nothing.

Using the default User class is the best way to authenticate users, but to keep it secure you should disable Get, Find, and Delete to the public so sensitive data is secure. If you need to expose data from this class to other areas of your application, you should use server-side code to display access the data, but at the same time hide what you don’t want everyone to see.

A simple example is:

The above code gets the first 100 users from the default User class, removed sensitive data (including email address and the Facebook auth token if it exists), and then returns the results in JSON format. This script can then safely be accessed using a AJAX call without having to worry about exposing private data.

If you have lots of data, you can easily add pagination to the API call. Also, if the data isn’t likely to change very often, you can also cache the results so you don’t have to request and strip the data every time it’s needed – this will also help in reducing your API requests.

ACL, JavaScript, Parse, PHP, Security

10 comments on “Securing Your Parse.com Database and Using PHP to Override ACL”

  1. Josh Oldham says:
    August 13, 2013 at 4:24 PM

    Nice. Very Nice. Love Parse and their Javascript SDK but security has always worried me. Nice to have this all clearly thought out like this and good food for thought for future apps. refactoring EVERYTHING

    Reply
  2. Tawan says:
    September 22, 2013 at 8:06 PM

    thanks for very nice article. disabled Get & Find in data browser equal to postACL.setPublicReadAccess(false)?

    Reply
    • Nico says:
      February 14, 2014 at 11:23 PM

      Yes.

      Reply
  3. Ash says:
    July 2, 2014 at 8:35 PM

    Thanks Niraj for the examples.

    Could you also include an example on how to create mapping between classes using Pointers.

    //use pointer to other class
    $parse->userid = array(“__type” => “Pointer”, “className” => “_User”, “objectId” => $data[‘upload_data’][‘userid’]);

    Anything on these lines.

    Thanks.

    Reply
    • Niraj Shah says:
      July 3, 2014 at 2:17 PM

      Just for you, I’ve created a new tutorial covering Pointers, DataTypes and ACL.

      Reply
  4. Parse.com: Using DataTypes, Pointers and ACL in PHP and JavaScript | Web Niraj says:
    July 3, 2014 at 2:16 PM

    […] One of the most common question I get with Parse is how to use Pointers, DataTypes and ACL – this tutorial covers how to do all three in both PHP and JavaScript. […]

    Reply
  5. Neo Ighodaro says:
    August 11, 2014 at 10:47 PM

    You mentioned being able to create paginated results, have a link to a tutorial with this on PHP?

    Reply
    • Niraj Shah says:
      August 12, 2014 at 1:01 PM

      I don’t have a tutorial for this, but you would rely on the $query->setLimit() and $query->setSkip() parameters for the no of results, and offset respectively. You can pick these up from the PHP $_GET variable as pass them into your Parse $query to create pages.

      Here is a quick demo.

      To go to a different page, just add ?p=10 to the URL, to skip the first 10 results. p should me a multiple of your default size for best results.

      Reply
  6. saravanakumar says:
    September 30, 2014 at 7:25 AM

    hi i am just start to learn this, iam installed this parse sdk in my local xampp server here.

    “Fatal error: Uncaught exception ‘Parse\ParseException’ with message ‘SSL certificate problem: unable to get local issuer certificate’ in C:\xampp\htdocs\planlet\src\Parse\ParseClient.php:251” i got this error while i running my test code

    my test code is

    require_once ‘autoload.php’;
    use Parse\ParseObject;
    use Parse\ParseQuery;
    $app_id=’XXXX’;
    $rest_key=’AAAAA’;
    $master_key=’VVVV’;
    ParseClient::initialize( $app_id, $rest_key, $master_key );
    $object = new ParseQuery(“Schools”);
    $playerName = $object->get(“schoolName”);

    can you help me to solve this issues?

    Reply
    • Niraj Shah says:
      September 30, 2014 at 12:10 PM

      It looks like an issue with trying to check the SSL status of your local server. It’s not a ideal work-around, but you can try adding the below code to the _request() function to the ParseClient.php file (around line 245, but before $response = curl_exec($rest);):

      curl_setopt($rest, CURLOPT_SSL_VERIFYPEER, false );

      Reply

Leave a ReplyCancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

StackExchange / StackOverflow

profile for Niraj Shah on Stack Exchange, a network of free, community-driven Q&A sites

Support Me

Buy Me a Coffee

PSN Profile

Tags

ACL Amazon Web Services Android Android 4.4 KitKat Android 5.0 Lollipop Apache Backup Bash Bug Command Line Cordova cPanel / WHM Facebook Facebook Graph API Facebook PHP SDK 4.0 Facebook Social Plugins Fan Page Flash Geolocation Google Nexus 5 Hacking HTML5 Input Sanitization iOS JavaScript jQuery Laravel 5 Laravel 5.2 Linux Mac OS NodeJS Parse PDF PHP Plugin Portfolio Review Security Server SSH SSL Sysadmin Tutorial WordPress WordPress Plugins
© 2011-2025 Niraj Shah
  • Blog
  • Portfolio
  • WordPress
  • About Me
  • Contact Me
  • Privacy Policy
Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Privacy Policy