解析用户对象 ACL [英] Parse User object ACL

问题描述

我是解析的新手，对解析用户表"中数据的安全性有疑问.我想与用户数据一起存储其他数据.例如，电话号码.但默认情况下 parse 将用户表设置为对任何人都具有读取权限.因此，如果有人点击我的解析 api，他们将能够获得所有用户及其电话号码的列表.显然这不是很安全.那么我应该设置用户对象以便任何人都无法读取它们吗?或者我应该将我的详细信息存储在不同的表中?相关，我也认为任何人都能够基本上转储我所有的用户默认列是很奇怪的.现在任何拥有我的 API 密钥的人都可以获取所有用户及其电子邮件地址.我是否在这里遗漏了一些关于这有多不安全的信息?

I'm new to parse, and have a question about the security of data in the parse User "table". I want to store additional data along with the user data. For example, phone number. But by default parse sets the user table to have read access for anyone. So if anyone just hits my parse api, they will be able to get a list of all users and their phone numbers. Obviously this isn't very secure. So should I set the user objects so they can't be read by anyone? Or should I store my details in a different table? Related, I also think it is strange for anyone to just be able to basically dump all my users default columns as well. Right now anyone with my API key can get all users and their email addresses. Am I missing something here about how insecure this is?

推荐答案

您的担忧很有道理.Parse 数据库的默认权限配置为易于开发，因此无需进一步配置，任何人都可以转储所有用户，这几乎是微不足道的.不幸的是，当不同的默认设置可以立即使许多应用程序更加安全时，真正的安全需要付出相当大的努力.

Your concerns are quite valid. The default permissions for the Parse database are configured for easy development, so without further configuration its almost trivial for anyone to dump of all of your users. It is unfortunate that real security requires fairly significant effort when different defaults would have immediately made many applications more secure.

有关用户转储的简单示例，请参阅此博客文章:https://www.webniraj.com/2013/08/01/using-the-parse-javascript-sdk-be-careful/

See this blog post for an example of how easy a user dump can be: https://www.webniraj.com/2013/08/01/using-the-parse-javascript-sdk-be-careful/

per-object ACL 不能提供被类级别权限拒绝的访问，因此即使您不想要任何可公开访问的用户数据，Parse User 类的公共类级别权限也需要在一种允许 SDK 与其交互的方式:

The per-object ACLs cannot provide access which has been denied by the class level permissions, so even if you don't want any publicly accessible user data, the public class level permissions for the Parse User class need to be configured in a way that allows the SDKs to interact with them:

• 客户端需要公共Get"才能刷新当前用户.
• 需要公开创建"才能注册用户.
• 需要公开更新"才能设置用户名和密码.

然后使用用户 ACL 进一步限制这些公共权限.内置的 User 类被分配了一个默认的 ACL，具有公共读取和私有读写(针对特定用户).我不需要用户的公共读取读取，因此在 afterSave Cloud Code 挂钩中，我将 ACL 更改为私有读取.由于我打算使用 Cloud Code 进行用户更新，因此实际上我什至不想要私有写入访问权限，但 ACL 始终返回私有读取.

These public permissions are then restricted further with the user ACL. The built-in User class is assigned a default ACL with public read, and private readwrite (for the specific user). I have not needed a public Read read for users, so in an afterSave Cloud Code hook, I changed the ACL to private readwrite. I did not actually even want private write access since I was going to use Cloud Code for user updates, but the ACL always returned to private readwrite.

我不需要搜索其他用户的功​​能，所以我禁用了公共查找"，这是防止您的所有用户信息被转储的快速修复.虽然风险较小，并且需要特定的对象 ID，但公共Get"仍然可能被滥用，这就是我从用户 ACL 中删除公共读取的原因.

I have not needed the ability to search for other users, so I disabled public "Find" which is the quick fix to prevent all of your user info from being dumped. Although less risky, and requiring the specific object id, the public "Get" could still be abused which is why I removed public read from the user ACL.

更新:

配置类级别权限 (CLP) 以公开允许操作并不一定意味着任何数据都可以公开访问.这些 CLP 指定可以从任何客户端 SDK 对数据库的每个类运行哪些操作(这就是公共"的意思——使用私有"主密钥仍然可以覆盖所有内容).然后，每个对象上的 ACL 指定哪些操作允许用户/角色读取和写入该对象.我强烈建议阅读他们关于安全性的 5 部分博客文章，以了解 CLP 和对象级 ACL 之间的交互:解析博客:安全

Configuring the Class Level Permissions (CLPs) to publicly allow operations do not necessarily mean any data is publicly accessible. These CLPs specify what operations can be run on each class of the database from any client SDK (which is what they mean by "public" — using the "private" master key can still override everything). Then, ACLs on each object specify which users/roles are allowed to read and write that object. I’d highly recommend reading their 5-part blog post on security to gain an understanding of the interactions between the CLPs, and the object level ACLs: Parse Blog: Security

CLP 允许您锁定客户端对数据库中整个类的访问.例如，我有一个只被云代码使用的类，所以我禁用了所有的CLP(阻止任何客户端SDK读取或写入这些对象)，然后云代码使用主密钥覆盖CLP以供在服务器上使用.我也有面向客户的对象，但对象是用户私有的.它们具有公共获取和查找 CLP，但使用仅针对该用户的私有读写 ACL 保护用户.

CLPs allow you to lock down client access to entire classes in the database. For example, I have a class used only by cloud code, so I have disabled all CLPs (preventing any client SDK from reading or writing these objects), and then the cloud code uses the master key to override the CLP for use on the server. I also have client-facing, but objects private to the user. These have public Get and Find CLPs, but are secured to the user with a private read-write ACL for only that user.

Parse 最近还增加了指针权限"，看起来对限制每个对象的所有者"的访问很有帮助，但我个人没有使用过这些:解析指针权限

Parse also added "pointer permission" recently, which look helpful in restricting access to the "owner" of each object, but I have not personally used these: Parse Pointer Permissions

这篇关于解析用户对象 ACL的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！