[SOLVED] Moralis Database ACL Security Clarification

tomwhiteman · December 28, 2022, 3:11am

Hey guys,

I’m getting ready to deploy my dapp, and I have some queries about what exactly ACL permissions are. Currently, I have a table which updates with relevant info when a user performs certain transactions on the dapp. All rows in that table have ACL read+write.

I don’t really have any sensitive info on the website since everything is decentralised anyways. The only concern I have is that I don’t want anyone except myself and my team to be able to access and change database values.

So my question is this: Do I need to change any of the ACL permissions or can I leave them as read+write? Does having ACL read + write permissions mean that anyone can read or write data?

I went through the Moralis Security docs, however I’m still not entirely clear about this.

NOTE: I am using a self-hosted Moralis server with MongoDB.

Thanks!

cryptokid · November 7, 2022, 1:51pm

Did you install parse dashboard to see the ACLs?

ACL is per row, with read+write it means that a specific user can read and write the data from that row specific to that user account. You can add extra checks in a beforeSave hook to be sure that the user is not able to update specific information from that row.

depending on how you add data in that table, for example if you add data only from backend using master key then you can change the CLP directly so that only a specific role can read and write that data or make it be accessible only with master key

tomwhiteman · November 7, 2022, 4:24pm

Yes I installed parse-dashboard to see the ACL’s. Also, I only add data from the backend, so I assume I can simply configure who get’s to do this from my MongoDb account, right?

cryptokid · November 7, 2022, 4:26pm

if you only add data from the backend then you can update the CLP to block the write access on that table directly from parse dashboard

tomwhiteman · November 7, 2022, 4:45pm

I just tried that, but that stopped me from updating the table. I turned off all read and write access for public.

cryptokid · November 7, 2022, 4:46pm

How do you want to update the table? You could still do it with master key from backend or from cloud code

tomwhiteman · November 7, 2022, 5:09pm

Do I have to use the masterkey in every line? For example:

createdWhoopys.set("whoopyName", whoopyName, {useMasterKey})
await createdWhopys.save({useMasterKey})

I tried adding masterKey to Moralis.start but that didn’t work.

cryptokid · November 7, 2022, 5:14pm

Yes, you have to use it for every save and that is not the correct syntax for using master key with save function. You have to use it as the second parameter

tomwhiteman · November 7, 2022, 6:11pm

It’s not working. I’m using the following syntax: await newClone.save(null, {useMasterKey: true})

Any idea why? All CLP permissions are disabled.

cryptokid · November 7, 2022, 6:14pm

What happens when it is not working?
Did you set the master key with Moralis.start?

tomwhiteman · November 7, 2022, 6:24pm

Okay, it’s working. I have Moralis.start in two places in my folder so I set masterkey in both. Thanks!!