Skip to content

ParseError {code: 206, message: "Cannot modify user FQrZUWcoW9."} #4647

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
hom opened this issue Mar 15, 2018 · 6 comments
Closed

ParseError {code: 206, message: "Cannot modify user FQrZUWcoW9."} #4647

hom opened this issue Mar 15, 2018 · 6 comments

Comments

@hom
Copy link

hom commented Mar 15, 2018

ParseError {code: 206, message: "Cannot modify user FQrZUWcoW9."}.

Issue Description

ParseError {code: 206, message: "Cannot modify user FQrZUWcoW9."} when setting another user
even though set this ACL

Steps to reproduce

In source code, I found these

//RestWrite.js 975-979
if (this.className === '_User' &&
      this.query &&
      !this.auth.couldUpdateUserId(this.query.objectId)) {
    throw new Parse.Error(Parse.Error.SESSION_MISSING, `Cannot modify user ${this.query.objectId}.`);
  }
//Auth.js 21-31

// Whether this auth could possibly modify the given user id.
// It still could be forbidden via ACLs even if this returns true.
Auth.prototype.couldUpdateUserId = function(userId) {
  if (this.isMaster) {
    return true;
  }
  if (this.user && this.user.id === userId) {
    return true;
  }
  return false;
};

Expected Results

What you expected to happen.

Actual Outcome

What is happening instead.

Environment Setup

  • Server
    • parse-server version (Be specific! Don't say 'latest'.) :2.7.2

Logs/Trace
@flovilmart
Copy link
Contributor

This is the expected behaviour, one authenticated user cannot write on another user's object, nor read on it. THis is a security measure. Users hold private information and therefore are protected in a more restrictive way.

@aBuder
Copy link

aBuder commented May 25, 2018

@flovilmart Is there no solution to update the user attributes? For example an user with admin role should edit and change user attributes. Is there an solution to solve the problem on basic parse way without writing some custom cloud code.

@mullwaden
Copy link

I have a similar issue where I need admins to be able to modify users. The behavior is very inconsistent, i.e. ACL for the user doesn't really make sense at all:

        const acl = new Parse.ACL();
        acl.setPublicReadAccess(true);
        acl.setWriteAccess(newUser.id, true);
        acl.setRoleWriteAccess(businessUnit.getUserRoleId(), true);
        newUser.setACL(acl);

        return newUser.save(null, { useMasterKey: true });

In the example above the ACL tells me I should be able to edit and a cryptic error message tells me I can't.

@flovilmart
Copy link
Contributor

In the latest release, updating users with the masterKey should let any ACL be set. We still want to ensure a user can’t accidentally lock himself out, there has been some discussion around it. I’d gladly review a PR, that softens the possible updates on ACL’s while preserving enough safety.

@mullwaden mullwaden mentioned this issue May 28, 2018
Closed
@mullwaden
Copy link

@flovilmart yes the ACL is possible to set but does not reflect what can actually be done since Auth.prototype.couldUpdateUserId would still block any changes by another user.

Made a simple PR #4792

@aBuder
Copy link

aBuder commented May 30, 2018

@mullwaden This PR would make me happy and solve the problem 👍🏻

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mullwaden @flovilmart @aBuder @hom