Cannot run `distinct` query as normal user

[jost-s]

Issue Description

I want to run a distinct query but get error message that master key was not provided. Checking in the code and tests this seems intentional. Why should these queries only be executed with master key?

Steps to reproduce

Run a query like new Parse.Query('SomeObject').distinct('property') from a client app.

Expected Results

Query is run successfully.

Actual Outcome

Error is thrown "Master Key was not provided".

Test Case

To accurately reproduce your issue. Add your test cases here and read the Contributing Guide to run the tests.

Environment Setup

• Server

  • parse-server version (Be specific! Don't say 'latest'.) : 3.9.0
  • Operating System: macOS 10.13
  • Hardware: MacBook Pro 2018
  • Localhost or remote server? (AWS, Heroku, Azure, Digital Ocean, etc): localhost

• JS SDK

  • JS SDK version: 2.0.0
  • Application? (Browser, Node, React-Native, etc): Browser

Logs/Trace

[dplewis]

You should use distinct in a cloud code where you have master key provided.

We found that aggregate calls are unsafe to call without master key.

Here is a past security example where expensive calls can lead to an attack.

[jost-s]

@dplewis Alright, got it, thank you!