Pointer Permissions parsing does not permit creation

Despite meticulously following the instructions in this guide, I am encountering a 403 error when attempting to create a new row:

Error code: 119

Error message: "This user does not have permission to carry out the create operation on Messages. This setting can be adjusted in the Data Browser."

Here is my code snippet:

Messages = Parse.Object.extend("Messages")
var message = new Messages();
message.set("sender", Parse.User.current());
message.set("receiver", *anotherUser*);
message.set("subject", "foo")
message.set("body", "bar")
message.save()
.then(
  function(message){
    console.log("Success!")
  },function(error){
    console.log("Error: ", error);
});

My CLPs are configured as shown below: https://i.sstatic.net/t4zMg.png https://i.sstatic.net/gp1ok.png

A similar issue was reported by another user in a Google group discussion. What could we be overlooking?

Answer №1

After reporting this issue to Parse (Facebook) as a bug, they confirmed:

Upon investigation, we have reproduced the issue and verified it as a legitimate bug. Our team is now working on fixing it.

I will keep you posted on the progress of resolving this matter. If you are affected by this problem, please subscribe to the bug report for faster resolution.

UPDATE

Latest response from Facebook:

It turns out that this behavior is intentional. To create an object, the corresponding class must have public create permissions.

Unfortunately, following this guideline allows me to send messages "from" any other user (with the other user designated as the sender). In my opinion, this approach is unacceptable and impractical.

Answer №2

Since the inception of Pointer Permissions, a persistent bug has rendered them essentially useless. It seems like the intention was to allow developers to secure existing schemas all at once, but in reality, it needs to work for future creations as well.

To work around this issue, one option is to combine older Class Level Permissions with per-row ACLs, being cautious not to disable your Data Browser. For instance, if you have classes named "Puppy" and "Cat" both containing an "owner" field.

  1. In the Data Browser, adjust the Class Level Permissions for Puppy and Cat by setting the owner field permissions to:

Public - Read: Yes or No (depends on use case), Write: Yes

Add a Pointer Permission for "owner" - Read: Yes, Write: Yes (optional for now, see below)

  1. Then, in your cloud/main.js file, consider using this initial structure (referred to as "types" below):

  2. Once Parse resolves the creation issue, remove the Public Write Class Level permission (mentioned above), retain the Pointer Permission, and discard the workaround code below.

--

var validateAndUpdateOwnerWritePerms = function(request){
    var object = request.object;
    var error = null;
    var owner = object.get('owner');

    if (!Parse.User.current()) {
        error = 'User session required to create or modify object.';
    } else if (!owner) {
        error = 'Owner expected, but not found.';
    } else if (owner && owner.id != Parse.User.current().id && !object.existed()) {
        error = 'User session must match the owner field in the new object.';
    }

    if (request.master) {
        error = null;
    }

    if (error) {
        return error;
    }

    if (object.existed()) {
        return null;
    }

    var acl = new Parse.ACL();
    acl.setReadAccess(owner, true);
    acl.setWriteAccess(owner, true);

    object.setACL(acl);

    return null;
}

// Wrapper that makes beforeSave, beforeDelete, etc. respect master-key calls.
// If you use one of those hooks directly, your tests or admin
// console may not work.
var adminWriteHook = function(cloudHook, dataType, callback) {
    cloudHook(dataType, function(request, response) {
        if (request.master) {
            Parse.Cloud.useMasterKey();
        } else {
            var noUserAllowed = false;
            if (cloudHook == Parse.Cloud.beforeSave &&
                (dataType == Parse.Installation || dataType == Parse.User)) {
                    noUserAllowed = true;
            }
            if (!noUserAllowed && !Parse.User.current()) {
                response.error('Neither user session, nor master key was found.');
                return null;
            }
        }

        return callback(request, response);
    });
};

// Set hooks for permission checks to run on delete and save.
var beforeOwnedTypeWriteHook = function(type) {
    var callback = function (request, response) {
        var error = validateAndUpdateOwnerWritePerms(request);
        if (error) {
            response.error(error);
            return;
        }
        response.success();
    };
    return adminWriteHook(Parse.Cloud.beforeSave, type, callback);
    return adminWriteHook(Parse.Cloud.beforeDelete, type, callback);
};

beforeOwnedTypeWriteHook('Puppy');
beforeOwnedTypeWriteHook('Cat');

Answer №3

It appears that there is an issue with how Parse Pointer Permissions function during the Create process. To address this issue, you can grant Create permission to the Public and implement a validation step to ensure that the user creating a record matches the sender. This validation can be done in the beforeSave trigger for the Messages class in cloud code. If the validation fails, the creation of the record should be rejected.

Similar questions

If you have not found the answer to your question or you are interested in this topic, then look at other similar questions below or use the search

Replicate the process of transferring table rows to the clipboard, but exclusively copying the contents

Currently, I am attempting to copy a paginated table to my clipboard by referring to this guide: Select a complete table with Javascript (to be copied to clipboard). However, the issue lies in the fact that it only copies the data from the first page. In ...

What is the best way to use jQuery to emphasize specific choices within an HTML select element?

Seeking help with jQuery and RegEx in JavaScript for selecting specific options in an HTML select list. var ddl = $($get('<%= someddl.ClientID %>')); Is there a way to utilize the .each() function for this task? For Instance: <select i ...

Is there a way to duplicate and insert a function in node.js if I only have its name?

I'm currently working on a code generation project and I've encountered a problem that I initially thought would be easy to solve. However, it seems to be more complicated than I anticipated. My task involves taking a method name as input, naviga ...

The combination of eq, parent, and index appears to be ineffective

Okay, so I have this table snippet: <tr> <td> <input type="text" name="value[]" class="value" /> </td> <td> <input type="text" name="quantity[]" class="quantity" /> </td> </tr> Here& ...

Is There a Sparse Array Element in JavaScript?

Is there a more efficient method to check for the presence of an array element within multiple layers of a structure? For example: if (typeof arr[a][b][c] === 'undefined') { ...do something... } If [a] or [b] are missing, we cannot accurately t ...

"Implementing a select value in React.js using option values and mapping through iterations, with the

Currently, I am working on a React application where I encountered an issue with the map method during iteration. I have a select box that needs to be filled with numbers ranging from 0 to a specified value. My expected output should be [{label:0,value:0 ...

Vue.js fails to update view after file status changes

I am currently working with Vue.js and have the following code snippet: <div class="file has-name is-fullwidth is-light"> <label class="file-label"> <input class="file-input" ...

Examining the scroll-down feature button

I'm currently experimenting with a scroll down button on my website and I'm perplexed as to why it's not functioning properly. <!DOCTYPE html> <html> <head> <meta charset="utf-8"> <meta name="viewport" c ...

Significant Google Maps malfunction detected with API V3

Update: Issue resolved, check out my answer below. The scenario: User interacts with a map-image google maps API V3 is loaded using ajax the map is displayed in a dialog window or lightbox What's going on: The map loads and all features are funct ...

Transform a checkbox input into two distinct buttons

I am trying to change the input checkbox that toggles between light and dark mode into two separate buttons. How can I achieve this functionality? Check out the demo here: https://jsfiddle.net/ot1ecnxz/1 Here is the HTML code: <input type="checkb ...

Issue with $watch function causing $scope variable to remain undefined, even though it is being explicitly

I've been encountering an issue while trying to insert data into my Firebase database using a user's uid. It seems to be coming out as undefined for some reason. Here's a closer look at the code snippet causing the problem: The primary cont ...

Ways to target only the adjacent div

My goal is to target only the next div with the class name indented. Each indented div should have the same id as the <li> element right before it. Currently, I want each div with the class name indented to have the id of the previous <li>. He ...

Tips on navigating an array to conceal specific items

In my HTML form, there is a functionality where users can click on a plus sign to reveal a list of items, and clicking on a minus sign will hide those items. The code structure is as follows: <div repeat.for="categoryGrouping of categoryDepartm ...

Having an excess of 32 individual byte values

My current project involves developing a permission system using bitwise operators. A question came up regarding the limitation of having only 32 permissions in place: enum permissions { none = 0, Founder = 1 << 0, SeeAdmins = 1 << ...

Issue encountered during app creation using the command line interface

After successfully installing nodejs and checking the versions of nodejs, npm, and npx, I proceeded to run the command npm install -g create-react-app which executed without any issues. However, when I attempted to create a new React app using create-react ...

Tips for avoiding unnecessary re-renders

The component I created sends props to both the checkbox and range components. During testing, I noticed that when a change was made in the range component, the checkbox also re-rendered even though it wasn't changed, and vice versa. Issue: When ...

Steps for developing your own node package manager

Looking to create a CLI package manager application called mypkgname for your Github repository? You can easily install this package globally by registering it on npm: npm install -g mypkgname-cli mypkgname init myApp cd myApp npm install npm start Here ...

A timer created using jQuery and JavaScript

Looking for a way to automatically transition between three div elements with a fade in/out effect every 8 seconds? Check out this simple code snippet I wrote: $(".link1").click(function () { $(".feature1").fadeIn(1000); $(".feature2").fadeOut(1000) ...

Display only the labels of percentages that exceed 5% on the pie chart using Chart JS

I'm currently diving into web development along with learning Chart.js and pie charts. In my project, the pie chart I've created displays smaller percentage values that are hardly visible, resulting in a poor user experience on our website. How c ...

Possible problem that may arise when using Express without Jade

I've been experimenting with Express for my latest project, and I came across the suggestion to use the Jade template engine for views like this: /* GET home page. */ router.get('/', function(req, res, next) { res.render('index' ...