你怎么能 model 解析数据库安全的多用户共享 object 访问?
[英]How could you model Parse database for secure multi-user shared object access?
问题描述
I'm trying to model my Parse database for ACL access with Roles.
我正在尝试 model 我的 Parse 数据库以使用角色进行 ACL 访问。 Roles will contain many users so that users can have groups with whom they share data.角色将包含许多用户,以便用户可以拥有与其共享数据的组。 I am also locking all CLPs 100%.我还 100% 锁定所有 CLP。 Only User will have public find() & write() access for login and creation.只有用户拥有用于登录和创建的公共 find() 和 write() 访问权限。
I have not yet seen an exact situation where this was explained at all.我还没有看到完全解释这一点的确切情况。 I have seen many examples of relations, pointers and ACL Role access but none for shared, secured database.我见过很多关系、指针和 ACL 角色访问的例子,但没有一个是共享的、安全的数据库。 So far I cannot understand or extrapolate how I can have locked CLPs (no find()) and Role based ACL access.到目前为止,我无法理解或推断我如何锁定 CLP(没有 find())和基于角色的 ACL 访问。 Can pointers or relations enable this somehow?指针或关系能以某种方式实现这一点吗?
Current get colors either returns all objects with master key (obviously the opposite of what I want) or access denied.当前获取 colors 要么返回所有具有主密钥的对象(显然与我想要的相反),要么访问被拒绝。
Parse.Cloud.define("ccGetColors", async (request) => {
let currentUser = request.user;
let query = new Parse.Query("Color");
// query.equalTo("user", currentUser);
let results = await query.find({ useMasterKey: true });
if(results.length === 0) throw new Error('No results found!');
let steralizedResults = [];
for (let i = 0; i < results.length; i++) {
let object = results[i];
let color = object.get("color");
steralizedResults.push(color);
}
return steralizedResults;
});
Adding user to roles将用户添加到角色
Parse.Cloud.define("ccAddUserToRole", async function(request) {
let user = request.user;
// Get group admin ID
let userQuery = new Parse.Query("AddUser");
let results = await userQuery.find({ useMasterKey: true });
let resultObject = results[0];
let groupAdminObject = resultObject.get("groupAdmin");
let groupAdminID = groupAdminObject.id;
// Concatonate group name
let groupName = "Group_" + groupAdminID;
// Query for group role with group ID
let roleQuery = new Parse.Query(Parse.Role);
roleQuery.contains("name", groupName);
roleQuery.first({ useMasterKey: true }).then(function(role) {
console.log(role);
role.relation("users").add(user);
role.save(null, { useMasterKey: true });
});
});
- Currently role points to users, this is working nicely adding users as per above.当前角色指向用户,这可以很好地按照上述方式添加用户。
- My color class has Role based ACL access and works fine for a single user.我的颜色 class 具有基于角色的 ACL 访问权限,并且适用于单个用户。
- All CPLs are currently locked and I want to keep it that way.所有 CPL 目前都已锁定,我希望保持这种状态。
Can someone help point me in the right direction?有人可以帮我指出正确的方向吗? Either pointer or relation me in the right direction;)指向正确的方向或与我联系;)
2 个解决方案
解决方案1
1 2021-10-01 17:54:50
In the way Parse Server security works, for a certain user to have access to a certain object, BOTH ACL rule rule for the object AND CLP rule for the object's class must pass.在 Parse Server 安全工作的方式中,对于某个用户可以访问某个 object,object 的 ACL 规则和对象的 class 的 CLP 规则都必须通过。 It means that, if you remove all permissions on CLP of a certain class, all objects of that class will only be accessible via Master Key, which looks like the behavior you have.这意味着,如果您删除某个 class 对 CLP 的所有权限,则该 class 的所有对象将只能通过主密钥访问,这看起来像您的行为。
Since you have ACL rules for each of the objects, I'd set the CLP to allow authenticated users only, and you should achieve what you need this way.由于每个对象都有 ACL 规则,我将 CLP 设置为仅允许经过身份验证的用户,并且您应该通过这种方式实现您的需要。
解决方案2
0 已采纳 2021-10-02 02:45:34
I got this to happen exactly as I intend, albeit, in a bit of a roundabout way not directly using relations or pointers.我让这件事完全按照我的意图发生,尽管是以一种迂回的方式,而不是直接使用关系或指针。 I'm sure there is an even easier way of doing this however I don't know about it.我敢肯定有一种更简单的方法可以做到这一点,但是我不知道。
In my simple demo project I have a color class representing simple data, the class includes a color and a groupOwner.在我的简单演示项目中,我有一个代表简单数据的颜色 class,class 包括一个颜色和一个 groupOwner。 The group owner property is the role name which is saved with each new object. On query for all colors I'm checking for user's role and referencing this against the colors the user has access to.组所有者属性是与每个新 object 一起保存的角色名称。在查询所有 colors 时,我正在检查用户的角色并将其与用户有权访问的 colors 进行引用。 This way only authorized objects are returned based on user's role.这样根据用户的角色只返回授权的对象。
In my project all CLPs are 100% locked except login and signup, and even these I'm looking at locking to call through cloud code.在我的项目中,除了登录和注册之外,所有 CLP 都是 100% 锁定的,即使是这些我也在考虑锁定以通过云代码调用。 I want as much server control as possible and as much hidden code as possible.我想要尽可能多的服务器控制和尽可能多的隐藏代码。
If anyone has input or a better way please share:)如果有人有意见或更好的方法请分享:)
Parse.Cloud.define("ccSaveColor", async (request) => {
let colorString = request.params.color;
const query = await new Parse.Query(Parse.Role).equalTo('users', request.user).find({ useMasterKey: true })
let role = await query[0];
var groupACL = new Parse.ACL();
groupACL.setRoleWriteAccess(role, true);
groupACL.setRoleReadAccess(role, true);
let Color = Parse.Object.extend("Color");
let color = new Color();
color.set("groupOwner", role.get("name"));
color.set("color", colorString);
color.setACL(groupACL);
return await color.save(null, { useMasterKey: true });
});
Parse.Cloud.define("ccGetColors", async (request) => {
const roleQuery = await new Parse.Query(Parse.Role).equalTo('users', request.user).find({ useMasterKey: true })
let role = await roleQuery[0];
let query = new Parse.Query("Color");
query.equalTo("groupOwner", role.get("name"));
let results = await query.find({ useMasterKey: true });
if(results.length === 0) throw new Error('No results found!');
let steralizedResults = [];
for (let i = 0; i < results.length; i++) {
let object = results[i];
let color = object.get("color");
steralizedResults.push(color);
}
return steralizedResults;
});
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.