Protect a field in a database table

Hi :slight_smile:

I would like to protect a column in the User table to be only possible to update it with the master key. How can I do it?
I created a Role as you can see in the screenshot, and then I went to the User table and opened the protected fields option and I associated the created role to the field email. So, I would expect that the user would not be able to update his email directly from the client, however, the user is able to update the email from the client side. What am I missing?

The used code to create the role:

const roleACL = new Moralis.ACL();
const role = new Moralis.Role("block", roleACL);
role.save();

Thank you,
Pedro

Hi @pedrosantos! When you use the Admin UI yo can do everything as you are using it as system admin.

Thanks for the reply @ivan . But, I am talking about the UI from my client-side. Even with this role associated with the table field that I want to protect, any authenticated user is able to change the field.

A User by default can edit his own values, but not other values of other users

If you want to prohibit a user from editing their own fields for some reason - implement “beforeSave” trigger in cloud function and reject the save there

1 Like

Many Thanks @ivan I was able to do it after following your recommendation. I will share here the code, in case someone else has the same difficulty.
In this case, I am blocking the access to the field/column named “points” from the table User. Maybe, there is a more elegant way to do it, but it passed the tests I did, so here it is…

EDITED - THIS SOLUTION DIDN’T WORK


`Moralis.Cloud.beforeSave(Moralis.User, async (request) => {
  // any additional beforeSave logic here

}, {
   fields : {
    points : {
      required: false,
      type: String,
      options: val => {
        return val.length == 0;
      },
      error: "It is not possible to change points field"
    }
  }
});
`

Thanks, Pedro

1 Like

@ivan This way broke the login of the users :sweat_smile: The beforeSave for the User class is called when the user logins, and because the length of the field can be bigger than 0, the user is not able to log in. I also tried to write a log where I print the “request” variable that we should receive in the argument of the function to try to find a solution, however, it is always empty. Any suggestion? Do we have a way to protect with master key a specific field? Or the only option is to create a new table to save this field? :thinking:

Check if the Points have changed

Moralis Cloud functions are built on Parse - see this discussion about checking if a value changed with Parse and it should be same for Moralis

They use .original
Please try that

Try also .dirty

1 Like

When trying to find a solution for Moralis you can also google “ParseServer” instead of Moralis to see a lot of forums and chats about queries, triggers DB etc

1 Like

Many Thanks for the help @ivan. I think this time everything works as expected :smiley:

Here is the solution:

Moralis.Cloud.beforeSave(Moralis.User, (request) => {

   var userObject = request.object;

    if (!request.master && userObject.dirty("points")) {
        throw "You can not change points";
    }

});

Thanks,
Pedro

2 Likes