Pointers Permissions

samteb · December 26, 2022, 1:35pm

I am using user pointer in one of my object.

I was wondering if attributes.authData is considered as sensitive data that shouldn’t be accessible from the front end?

cryptokid · January 25, 2022, 7:22pm

I think that you should not show that info in front end

samteb · January 25, 2022, 10:04pm

is there a way to not returned this data by default? it is annoying if i have to create cloud function for everything containing user data

cryptokid · January 25, 2022, 10:09pm

how do you get that data now?

you could try to use query.select to specify what to include

samteb · January 25, 2022, 10:44pm

how? query.find().select() ?

cryptokid · January 26, 2022, 8:12am

you can search google how to use .select .include for parse server in general, you can also find on other forum posts

samteb · January 26, 2022, 6:16pm

I have noticed a bug:

From the browser, when i am using query.select("createdBy"); with createdBy a pointer to User, I can see in the network the response data being sent with the objectId.
However, when debugging my app into the code, the createdBy field is undefined. Probably the SDK is removing the data? Although I am getting it from the server perspective.

And something really weird is that it is working with live queries.

  query.select("createdBy");
  const subscription = await query.subscribe();

   subscription.on("create", (obj) => {
        const { id, attributes } =  obj;
        // attributes.createdBy.id exists
   })

cryptokid · January 26, 2022, 6:15pm

you mean that the data makes is locally from the server to the browser, but it doesn’t show it from javascript console?

samteb · January 26, 2022, 6:18pm

the data got from the server is not shown in the JS console

cryptokid · January 26, 2022, 6:27pm

if you try to use console.log(obj) or console.log(JSON.stringify(ops)) what you get?

samteb · January 26, 2022, 7:40pm

createdBy: {
   id: "wxuefewrgwrgwOoG"
}

When the user pointer is not my user, i only get the Id

cryptokid · January 26, 2022, 7:50pm

usually you don’t get other users data without using master key

samteb · January 26, 2022, 9:25pm

there is a bug then! try with live queries, you get all users’ data

cryptokid · January 26, 2022, 9:28pm

you mean that you get more than user id?

samteb · January 26, 2022, 10:12pm

      const query = new Moralis.Query("Product");
      query.select("createdBy");
      const subscription = await query.subscribe();
      subscription.on("create", (song) => {
          console.log(song.attributes.createdBy);
      })
       
     // console.log()
     // attributes: Object
     // ACL: ParseACL {permissionsById: {…}}
     // createdAt: Fri Dec 17 2021 08:21:34 GMT+0100 (Central European Standard Time) {}
     // ethAddress: "0x41e7e3fc64c31c7968e375c86182222a494ee234"
     // isOnline: true
     // updatedAt: Wed Jan 26 2022 23:03:58 GMT+0100 (Central European Standard Time) {}

As you can see, everything is returned. Without using master key.

cryptokid · January 29, 2022, 8:25pm

@samteb, can you check again now with latest version of Moralis SDK?

It looks like it was a cacheing problem in the sdk and user data was not sent from the server in that case.

samteb · January 29, 2022, 8:24pm

Last version of the SDK, the one using ether.js?

cryptokid · January 29, 2022, 8:24pm

yes, the one using ether.js