Easy Win – Secure Your Classes
Disable Class Creation
In order to stop people creating classes in your database (as I did in my previous article), you should turn off Class Creating. The setting can be found under [Settings] > [General Settings] > [App Permissions].
Set Class Level Permissions
If you want to stop users from accessing, creating or deleting data, you can set class-level permissions quite easily through the Parse.com Data Browser. For example, you may want to allow creation so users can register to your app, but you will want to disable deletion, so user data cannot be erased. Class-level permissions can be set by going to [Data Browser] > Select a Class > Click the [More] dropdown > Select [Set permissions].
In general, you should disable Delete and Add fields permissions for all classes. If you need the user to be able to delete rows from your Classes, you should use the ACL functionality to give the user permissions to delete only certain data. If you don’t need users to be able to access other users’ data, you should also disable Get and Find – these are crucial to keeping email addresses, usernames and other details stored in the default User class private.
user.signUp functions will continue to work even if Get and Find are disabled.
Overriding ACL using PHP
If you set restrictive permissions, either using ACL or class-level permissions, you can override these using server-side code and the Master Key. The unofficial PHP Parse library can be used to access your Parse database in a secure way, allowing you to delete data, for example.
Unfortunately, the documentation for the PHP library isn’t very good, so I’ve included examples of how to access, create or find data using the PHP library:
Using PHP to Remove Sensitive Data
Setting ACL on objects is your best defence to protect data and malicious behaviour, however, Parse’s ACL functionality is somewhat limited. While you can protect an entire row from read or writing, you cannot yet protect individual columns. For example, I cannot open up the default User class to all users, but to hide sensitive data (like email addresses) from everyone. It’s either all or nothing.
Using the default User class is the best way to authenticate users, but to keep it secure you should disable Get, Find, and Delete to the public so sensitive data is secure. If you need to expose data from this class to other areas of your application, you should use server-side code to display access the data, but at the same time hide what you don’t want everyone to see.
A simple example is:
The above code gets the first 100 users from the default User class, removed sensitive data (including email address and the Facebook auth token if it exists), and then returns the results in JSON format. This script can then safely be accessed using a AJAX call without having to worry about exposing private data.
If you have lots of data, you can easily add pagination to the API call. Also, if the data isn’t likely to change very often, you can also cache the results so you don’t have to request and strip the data every time it’s needed – this will also help in reducing your API requests.