You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have a rails web app where I configure Parse without a master key and then rely on ACLs to manage access to objects.
Standard users can register themselves but there is a privileged user role and to acquire the privileges associated with this role the user must pay. The way I see it is that the user must signup and then assign themselves to the users list in the privileged user role, however to do this the user must be able to write to the role which creates a vulnerability where a standard user can just set themselves in the privileged user role.
I have thought of the following options
Create a admin (like sudoer) user that has the privileges to do this and just as I am about the create the privileged user I login as the admin create and then logout again. To me this seems strange as there might be multiple admin sessions open at one time and I can't see in the parse docs if this is even permitted.
Switch to use master key when creating the privileged user and then switch it off again. I think this might affect concurrent users and also seems quite ugly.
Create a separate role system in the rails app. I think this is the worst option because it just adds complexity and bypasses what seems like a reasonable role mechanism for the sake of a small issue.
My proposal would be to add an optional argument for all actions where you can pass a master_key for that specific operation. This seems like a clean and simple way to resolve my problem. I have also encountered this problem elsewhere like when seeding the data so it's not just in a single area.
Do you have any thoughts on the conundrum and would you be willing for me to try implement my suggestion?
The text was updated successfully, but these errors were encountered:
I have a rails web app where I configure Parse without a master key and then rely on ACLs to manage access to objects.
Standard users can register themselves but there is a privileged user role and to acquire the privileges associated with this role the user must pay. The way I see it is that the user must signup and then assign themselves to the users list in the privileged user role, however to do this the user must be able to write to the role which creates a vulnerability where a standard user can just set themselves in the privileged user role.
I have thought of the following options
Create a admin (like sudoer) user that has the privileges to do this and just as I am about the create the privileged user I login as the admin create and then logout again. To me this seems strange as there might be multiple admin sessions open at one time and I can't see in the parse docs if this is even permitted.
Switch to use master key when creating the privileged user and then switch it off again. I think this might affect concurrent users and also seems quite ugly.
Create a separate role system in the rails app. I think this is the worst option because it just adds complexity and bypasses what seems like a reasonable role mechanism for the sake of a small issue.
My proposal would be to add an optional argument for all actions where you can pass a master_key for that specific operation. This seems like a clean and simple way to resolve my problem. I have also encountered this problem elsewhere like when seeding the data so it's not just in a single area.
Do you have any thoughts on the conundrum and would you be willing for me to try implement my suggestion?
The text was updated successfully, but these errors were encountered: