Moralis Cloud Code, ACL and Triggers Questions

i have started making a game with moralis but i feel like i have came to a dead end due to moralis security questions i have read the docs i am just asking for some clarity so i can proceed on my project

if anyone can get the server url and app id and i set it all up so that it is read only with ACL permission to save the stats what is stopping an individual from updating their own stats

for example
user class has a column named money
nobody can update the row unless they have acl
that same player with acl could update their own money but nobody elses by tweaking the code

give me some clarity please i just want to finish this project

I’m that case you can stop it with beforeSave hook or by using a totally different table to save that data and not to save it in User class

what could i put in beforesave that would prevent a person from viewing page source starting a local server and running a code like user.set(“money”,9999999); user.save(); with the api key and server url to save their own money since they have acl permission to their own stuff

im trying everything i can before replying i feel like i have hit a brick wall

I think that in beforeSave you can check if someone tried to change that money value and throw an error, it is not easy, it is easier to choose the solution with a different table.

you can also search on google how to secure parse server, as Moralis Server is based on parse server

thanks for the fast reply i guess its just something that ill have to figure out before finishing my project if it will be working with real money i cant continue till i solve this simple loophole

on another note i started using cloud functions but most js functions dont work there

on cloud functions i cant use console.log or alert

i tried to save data with a cloud function and i get this error

Uncaught (in promise) Error: Cannot read properties of undefined (reading ‘set’)

you can set data in a cloud function, console.log doesn’t work, there, you can use logger.info there and see the output in logs in the dashboard

I think you first need to understand what cloud function is

It’s backend code - it runs in a server

Server code don’t support “alert” which is client side feature that only works in the browser

Cloud functions can be compared to Nodejs more than client JavaScript

Next - check the docs about logging - you use “logger.info” to print data instead of console.log

Next - check out this video about ACLs and database security https://youtu.be/Yd4gFQ5ppmQ

Finally - check out this course in moralis to get full understanding https://youtu.be/MY4WYoZPr-U

Good luck! We are here to help with specific questions also as always

i tried this simple code to save something in cloud functions its just a test

Moralis.Cloud.define(“register”, async (request) => {

const user = Moralis.User.current();
user.set("registered",true);
user.set("username","billcollecter");
user.save();    

return “registered”;
});

but the console returns
Uncaught (in promise) Error: Cannot read properties of undefined (reading ‘set’)

i got the logger.info working already when i found that alert and console didnt work thanks ivan

Ok great

Moralis.User.current()

doesn’t work in cloud function - only in browser client code because it’s the function to get the logged in user and cloud code is server side it doesn’t know who is logged in and not like browser can

Server code handles requests from all users logged in on different browsers all calling the same cloud function

Once a request hits cloud function you have the request object and can get the user calling the cloud function using request.user

Server gets request from the client and can get the user from the request :raised_hands:

Let us know if that works for you

thanks ivan and cryptokid i have found a solution to this concern using the masterkey and cloud functions

thanks for your help keep up the good work

1 Like