Filter based on ACL

Ignore1807 · December 28, 2022, 3:13am

How can I query the “Note” class (see picture below) for the ACL: "role: “Group2”. So when I query through the Note class I want to filter out Objects with a specific role.

Here is a picture of the Notes class.

So normally if I want to query for the objectId I do the following thing and it works:

 async function querySomething(objectId) {

            const Notes = Moralis.Object.extend("Note");
            const query = new Moralis.Query(Notes);
            query.equalTo("objectId", objectId);
            const results = await query.find();

            console.log(results[0].get('content'))

        }

But I don’t know how to query ACL. When I try I this I’m getting an error:

        async function querySomething(roleName) {

            const Notes = Moralis.Object.extend("Note");
            const query = new Moralis.Query(Notes);
            query.equalTo("ACL", roleName);
            const results = await query.find();

            console.log(results[0].get('content'))

        }

Error:

querySomething("Group1")
Promise {<pending>}
moralis.js:26280 
 POST https://hb8ozxaq1hib.usemoralis.com:2053/server/classes/Note 400
moralis.js:26416 Uncaught (in promise) Error: Cannot query on ACL.
    at handleError (moralis.js:26416:17)
    at async querySomething (wallet.html:121:29)

cryptokid · July 9, 2022, 7:42pm

you could try with master key (on find: await query.find();), not sure if it will be a difference

Ignore1807 · July 10, 2022, 9:11am

Seems like I have avoided the problem by adding a new column called “group” and adding the group name to it.

coder · September 30, 2022, 6:27pm

It would be nice to get a definitive answer on ACL filtering in general. We currently use a manually created field as well. But making sure the two stay in sync seems unnecessarily risky.

Additionally, we have situations where we want to retrieve certain items that may currently be “unpublished” to the public, but still allow owners to view those items. Using masterkey without any matching leaves everything wide open and seems to be a bad idea. ACL “scoping” is preferable.

Any documentation on making use of ACL via both basic Query as well as pipeline? I see we can set it just fine, but it would be nice to filter on it as well.

cryptokid · September 30, 2022, 8:42pm

you can look on the general documentation for parse server as parse serve is used in a Moralis Server

coder · September 30, 2022, 10:37pm

Yes, I’ve done that. I’ve even watched a few of the really outdated videos to get some sense of how to do it. Everything focuses on setting ACL, rather than querying it and acting accordingly.

As an example, I have two test users in an application. If USER 1 creates an entry, the only way both users can view that entry is to set row ACL to public. Even adding both users to ACL (manually) doesn’t seem to change access rights.

So, the only “solution” I see is using masterkey and setting alternate columns that are hopefully in sync with ACL. Really don’t want to rely on that.

cryptokid · October 2, 2022, 3:27pm

I don’t know the answer. It should be something specific to how parse server works. Every user row is set to be accessible only by current user for security reasons.

It could be easier to create a separate table for those entries specific to users data.