parse.com - Limiting who can sign up

Question

I might be missing something in the security documentation for parse.com but I don't see how to limit who can sign up to the app?

I am making an app (html/javascript) with parse as the backend. The data will be shared amongst a team of people.

What stops someone from using the sign up javascript code to create their own account with the correct role that then gives them access to the parse database?

Answer 1

A requirement to allow only members of a particular team to create an identity (sign up) implies that you have an external means of establishing someone's identity as a team member in the first place.

How you get this done with parse's generic (I would argue reasonably generic) User model depends on those external means. But the effect in parse ought to be, if someone proves they are "on the team", assign their users to an onTheTeam role. Then, via class-level permissions or ACLs, provide more privilege to users who are members of that role and fewer/none to users who aren't.

Here are some ideas about establishing team membership to an externally defined team:

1. If team membership can be established via an api to another system: On a beforeSave hook for the Parse.User , call that api and assign them to the "onTheTeam" role if successful, otherwise fail with an error.

2. If you know team members' email addresses: Have parse send an email verification challenge to new registrants. Upon user save, assign them to the "onTheTeam" role if and only if their email is on the list and their emailVerified property is true. (I've used this approach successfully for an app in production).

3. If the team is just a handful of friends: pass everyone a secret via an outside channel. Have your registration collect name, password and the secret, and assign these to the new user. Validate the secret in a beforeSave hook on Parse.User . If valid, add the user to the "onTheTeam" role, otherwise prevent the save with an error. (The outside channel you employ to pass the secret depends on the security of your app... eg For a highly secure app, ask each team member to meet you at a particular park bench, wear a fedora and pass the secret in a rolled-up newspaper).