解析服务器安全 [英] Parse Server Security

问题描述

我正在运行一个干净的 Heroku &解析服务器的 MLab 安装 (https://github.com/ParsePlatform/parse-server-example)，我使用 Parse Server Dashboard (https://github.com/ParsePlatform/解析仪表板).

I am running a clean Heroku & MLab installation of the Parse Server (https://github.com/ParsePlatform/parse-server-example), which I am controlling using the Parse Server Dashboard (https://github.com/ParsePlatform/parse-dashboard).

我可以进行 Rest API 调用 &创建新类.如何防止通过 API 调用(登录用户或匿名)创建新类?

I can make Rest API calls & create new classes. How do I prevent new classes from being created through API calls(either by logged in users or anonymously)?

目前 Parse Server Dashboard 中似乎没有对此进行控制.

It looks like there is no control of this in the Parse Server Dashboard at present.

推荐答案

我在这里找到了问题的答案:

I've found the answer to my question here:

http://stansidel.com/2016/03/parse-server-security-consultations-and-server-updates/

设置 allowClientClassCreation，这是解析服务器设置中的高级选项之一.

Setting the allowClientClassCreation which is one of the advanced options in the Parse Server setup.

我已将 enableAnonymousUsers 设置为 false，以防止匿名调用 API.

I have set enableAnonymousUsers to false which prevents anonymous calls to the API.

index.js 中的相关代码片段现在如下所示:

The relevant snippet of code in the index.js now looks as follows:

var api = new ParseServer({
  databaseURI: databaseUri || 'mongodb://localhost:27017/dev',
  cloud: process.env.CLOUD_CODE_MAIN || __dirname + '/cloud/main.js',
  appId: process.env.APP_ID || 'myAppId',
  masterKey: process.env.MASTER_KEY || '', //Add your master key here. Keep it secret!
  serverURL: process.env.SERVER_URL || 'http://localhost:1337/parse',  // Don't forget to change to https if needed
  enableAnonymousUsers: process.env.ANON_USERS || false,
  allowClientClassCreation: process.env.CLIENT_CLASS_CREATION || false,
  liveQuery: {
    classNames: ["Posts", "Comments"] // List of classes to support for query subscriptions
  }
});

这篇关于解析服务器安全的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！