Pointers Permissions

I am using user pointer in one of my object.

I was wondering if attributes.authData is considered as sensitive data that shouldn’t be accessible from the front end?

I think that you should not show that info in front end

is there a way to not returned this data by default? it is annoying if i have to create cloud function for everything containing user data

how do you get that data now?

you could try to use query.select to specify what to include

how? query.find().select() ?

you can search google how to use .select .include for parse server in general, you can also find on other forum posts

1 Like

I have noticed a bug:

From the browser, when i am using query.select("createdBy"); with createdBy a pointer to User, I can see in the network the response data being sent with the objectId.
However, when debugging my app into the code, the createdBy field is undefined. Probably the SDK is removing the data? Although I am getting it from the server perspective.

And something really weird is that it is working with live queries.

  query.select("createdBy");
  const subscription = await query.subscribe();

   subscription.on("create", (obj) => {
        const { id, attributes } =  obj;
        // attributes.createdBy.id exists
   })

you mean that the data makes is locally from the server to the browser, but it doesn’t show it from javascript console?

the data got from the server is not shown in the JS console

if you try to use console.log(obj) or console.log(JSON.stringify(ops)) what you get?

createdBy: {
   id: "wxuefewrgwrgwOoG"
}

When the user pointer is not my user, i only get the Id

usually you don’t get other users data without using master key

there is a bug then! try with live queries, you get all users’ data

you mean that you get more than user id?

      const query = new Moralis.Query("Product");
      query.select("createdBy");
      const subscription = await query.subscribe();
      subscription.on("create", (song) => {
          console.log(song.attributes.createdBy);
      })
       
     // console.log()
     // attributes: Object
     // ACL: ParseACL {permissionsById: {…}}
     // createdAt: Fri Dec 17 2021 08:21:34 GMT+0100 (Central European Standard Time) {}
     // ethAddress: "0x41e7e3fc64c31c7968e375c86182222a494ee234"
     // isOnline: true
     // updatedAt: Wed Jan 26 2022 23:03:58 GMT+0100 (Central European Standard Time) {}

As you can see, everything is returned. Without using master key.

@samteb, can you check again now with latest version of Moralis SDK?

It looks like it was a cacheing problem in the sdk and user data was not sent from the server in that case.

Last version of the SDK, the one using ether.js?

yes, the one using ether.js