Skip to content

fix: Dashboard config objects stored on server with public read / write access #2997

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 5, 2025
Merged

fix: Dashboard config objects stored on server with public read / write access #2997

merged 1 commit into from
Oct 5, 2025
+3 −0

Conversation

mtrezza
Copy link
Member

@mtrezza mtrezza commented Oct 5, 2025
edited by coderabbitai bot
Loading

New Pull Request Checklist

Issue Description

The dashboard config objects are stored on server with public read / write access.

Approach

Store with read / write by master key only.

Summary by CodeRabbit

  • Bug Fixes
    • Tightened access controls on server configuration data to prevent unintended exposure. Configuration entries now default to restricted access, reducing risk from misconfiguration or unauthorized reads. No changes to how configuration is retrieved or deleted, and no user-facing behavior changes are expected. This hardening improves overall security and integrity of server settings while maintaining existing functionality and performance.

@parse-github-assistant Parse GitHub Assistant
Copy link

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

@parseplatformorg
Copy link
Contributor

🎉 Snyk checks have passed. No issues have been found so far.

security/snyk check is complete. No issues have been found. (View Details)

@coderabbitai coderabbitai
Copy link

coderabbitai bot commented Oct 5, 2025
edited
Loading

Caution

Review failed

The pull request is closed.

📝 Walkthrough

Walkthrough

setConfig in src/lib/ServerConfigStorage.js now sets an empty Parse ACL on the config object before saving with the master key. Retrieval and deletion logic remain unchanged.

Changes

Cohort / File(s) Summary
Server config storage
`src/lib/ServerConfigStorage.js`		 In setConfig, after updating typed fields and clearing others, assigns `configObject.setACL(new Parse.ACL())` before saving with master key. No changes to get/delete paths.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant C as Caller
  participant S as ServerConfigStorage.setConfig
  participant P as Parse.Object(Config)

  C->>S: setConfig(key, value)
  S->>P: set typed field(s) based on value
  S->>P: clear other value fields
  Note over S,P: New step: set empty ACL
  S->>P: setACL(new Parse.ACL())
  S->>P: save({ useMasterKey: true })
  P-->>S: saved
  S-->>C: resolve
Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

✨ Finishing touches
  • 📝 Generate docstrings
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between dde78a3 and 0f7c618.

📒 Files selected for processing (1)
  • src/lib/ServerConfigStorage.js (1 hunks)

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@mtrezza mtrezza merged commit 31a4639 into parse-community:alpha Oct 5, 2025
10 of 11 checks passed
parseplatformorg pushed a commit that referenced this pull request Oct 5, 2025
@semantic-release-bot
chore(release): 7.6.0-alpha.7 [skip ci]
c8c809f 
# [7.6.0-alpha.7](7.6.0-alpha.6...7.6.0-alpha.7) (2025-10-05)

### Bug Fixes

* Dashboard config objects stored on server with public read / write access ([#2997](#2997)) ([31a4639](31a4639))
@parseplatformorg
Copy link
Contributor

🎉 This change has been released in version 7.6.0-alpha.7

@parseplatformorg parseplatformorg added the state:released-alpha Released as alpha version label Oct 5, 2025
@mtrezza mtrezza deleted the fix/dashboard-config-acl branch October 5, 2025 12:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
state:released-alpha Released as alpha version
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mtrezza @parseplatformorg