Restful key does not prevent creating new objects #2816
Comments
|
Confirmed, e.g. start server with: X-Parse-REST-API-Key can be any value or omitted A workaround is to start the server with all 4 keys: clientKey, javascriptKey, dotNetKey, restAPIKey I think this has been raised before but can't find the issue. The offending line is here: https://github.com/ParsePlatform/parse-server/blob/master/src/middlewares.js#L136 Not sure why we don't just check if keyMismatch > 0 @flovilmart ? |
|
Not sure either but there has to be a reason. There was a lot of back and forth on that piece of code. I'll check the history. |
|
Confirmed, initializing with dotNetKey does indeed give the expected out come, thanks for your help. |
|
Can we keep open? Key checking is not behaving as expected and shouldn't require a workaround. It is a security issue for anyone who doesn't specify all keys. |
hramos
added
the
type:bug
|
that's effectively a bug... wanna knock it down @steven-supersolid ? |
|
Sure, I can take a look |
|
Closing due to merged PR that addresses this issue |
Uh oh!
There was an error while loading. Please reload this page.
Issue
The exact issue is that I dont want restful API to be able to write new objects to classes, so I set up a restful API key which i thought it would prevent any restful calls(a call that doesn't include the restful key) from writing any new objects, however, i am still able to do so(with or without the key).
Steps to reproduce
curl -X POST \
Expected Results
Not be able to create new objects to class using restful api
Actual Outcome
able to create new objects
Environment Setup
The text was updated successfully, but these errors were encountered: