Parse.com - How to stop new users seeing content they shouldn't after sign up?

Question

My users can sign up on the index.html page, after successfully entering their details they are forwarded on to the user_home.html page, where relevant content is shown to them.

This issue that I have is that new users are seeing content that they shouldn't. My site has friends based logic in place, which restricts what badges users can view, but when i new user creates a account they can see all content. However the logic is working fine when they just log in normally using their details.

I'm not sure if I have a logic gap or need some additional code in place to clearly identify the user?

What have I missed?

HOME PAGE CODE (CONTENT)

///////////Checks to see if the user is logged in - Refuses access if they are not///////////
var currentUser = Parse.User.current();
if (currentUser) {
} else {
    var uri = encodeURI('http://mysiteurl.com/index.html');
    window.location.href=uri;
}

////////////Queries and returns list of badges belonging to users friends////////////////////


var currentFriendsQuery = new Parse.Query("FriendRequest");
currentFriendsQuery.equalTo("status", "Connected");
var myBadgeQuery = new Parse.Query("myBadges");
myBadgeQuery.include('SentTo');
myBadgeQuery.include('uploadedBy');
myBadgeQuery.matchesKeyInQuery("SentTo", "toUser", currentFriendsQuery);


myBadgeQuery.find({
    success: function (Badgeresults) {
        "use strict";
        var Badges = [];
        for (var i = 0; i < Badgeresults.length; i++) {
            Badges.push({
                imageURL: Badgeresults[i].get('Global_Badges_img'),
                AwardedBy: Badgeresults[i].get('uploadedBy').get('username'),
                AwardedTo: Badgeresults[i].get('SentTo').get('username'),
                badgename: Badgeresults[i].get('BadgeName'),
                category: Badgeresults[i].get('category'),
                comment: Badgeresults[i].get('Comment')


            });

        }

        _.each(Badges, function(item) {
            var wrapper = $('<div></div>');
            wrapper.append('<img class="images responsive-image BadgeImgOutline" src="' + item.imageURL + '" />');
            wrapper.append('<div class="tag badgelabel" >' + item.badgename + '</div>' + '<br>');
            wrapper.append('<div id="category" class="tag categorylabel modal.tag" >' + item.category + '</div>' + '<br>' + '</div>');
            wrapper.append('<div class="tag awardedbylabel">' + item.AwardedBy + '</div>' + '<br>');
            wrapper.append('<div class="tag senttolabel">' + item.AwardedTo + '</div>' + '<br>');
            wrapper.append('<div class="item  fui-chat">' + ' Reason: ' + item.comment + '</div>' + '<div class="wrapper b_seperater"></div>' + '<br>');

            $('#container').append(wrapper);

        });

        collapseIt();

    },
    error: function(error) {
        alert("Error: " + error.code + " " + error.message);
    }
});

SIGN UP CODE

////////////Runs parse after the SignUp button has been clicked by the user////////////////////

$('#SignUp').click(function(e) {
    UserSignUp();
});


function UserSignUp() {

    var user = new Parse.User();
    userFirstname = $('#firstnamesu').val();
    userLastname = $('#lastnamesu').val();
    userUsername = $('#usernamesu').val();
    userGender = $('#gendersu').val();
    Email = $('#emailsu').val();
    PWP = $('#passwordsu').val();

    user.set("FirstName", userFirstname);
    user.set("LastName", userLastname);
    user.set("username", userUsername);
    user.set("gender", userGender);
    user.set("email", Email);
    user.set("password", PWP);


    user.signUp(null, {
        success: function(user) {
            if (!user.existed()) {
                window.location.href = "user_home.html";
            } else {
                alert("NO WAY BUDDY");
            }
        },
        error: function(user, error) {

        }
    });
}

MYBADGES FRIENDREQUEST Using Parse.com and the JavaScript SDK.

Answer 1

There is nothing in the request that limit the data to the current user. So the request will always return the same thing for any users.

Right now you return all the badges that are sent to a list of people that have the status Connected .

You need to update your currentFriendsQuery so that it queries for just the current user.

// We need to do a OR query since the current user can be in FriendRequest.fromUser or FriendRequest.toUser

// Query that match the result for when the current user made a friend request
var fromQuery = new Parse.Query("FriendRequest");
fromQuery.equalTo("fromUser", currentUser);

// Query that match the result for when the current user accepted a friend request
var toQuery = new Parse.Query("FriendRequest");
toQuery.equalTo("toUser", currentUser);

// We now create the main FriendRequest query using the two previous one
var currentFriendsQuery = Parse.Query.or(fromQuery, toQuery);
currentFriendsQuery.equalTo("status", "Connected");

// The rest doesn't change
var myBadgeQuery = new Parse.Query("myBadges");
myBadgeQuery.include('SentTo');
myBadgeQuery.include('uploadedBy');
myBadgeQuery.matchesKeyInQuery("SentTo", "toUser", currentFriendsQuery);