Parse.com dashboard ACL display

[mtalma]

There seems to be a difference when you add an ACL to a class object from the Parse dashboard and when you add the ACL from cloud code (locally hosted).

In both cases, I am removing public read access and granting read access to the "Administrator" role and the owning user (in this case user id: 7sT0tCqA25).

From the Parse Dashboard, I see this added to my object:

"_acl": {
        "7sT0tCqA25": {
            "r": true
        },
        "role:Administrator": {
            "r": true
        }
    }

My cloud code to produce the ACL described above:

var orderACL = new Parse.ACL();
orderACL.setPublicReadAccess(false);
orderACL.setRoleReadAccess("Administrator",  true);
orderACL.setReadAccess( "7sT0tCqA25", true );
order.setACL(orderACL);
return order.save();

When executed, Parse server adds this to the DB:

"ACL": {
        "role:Administrator": {
            "read": true
        },
        "7sT0tCqA25": {
            "read": true
        }
    }

This is causing the Parse Dashboard not to display the correct ACL for the object.

[gfosco]

Interesting, because neither of those formats is how it actually goes in the database. ACLs are split in to 2 columns, _rperm and _wperm, one for read permissions, and one for write permissions. Older objects (>1 yr old) have an even older ACL format... take a look at transform.js and also spec/ParseACL.spec.js to see what is implemented and how it is tested.

[mtalma]

Ok just did the comparison again. I am seeing _rperm and _wperm. Here are the two full objects:

Setting permissions on Dashboard:

{
    "_id": "tzlHLw9p9W",
    "_rperm": [
        "7sT0tCqA25",
        "role:Administrator"
    ],
    "_p_client": "Client$fnSGmgEEA9",
    "amount": 4.95,
    "fee": 0.05,
    "authorized": false,
    "captured": false,
    "token": "r29MUo32h1",
    "orderNumber": "x1s37JM4X4YcDiFx4gwQUnTh/Fw=",
    "customerEmail": "matthew.talma@gmail.com",
    "nonce": "somenouce",
    "_updated_at": {
        "$date": "2016-02-02T08:11:46.211Z"
    },
    "_created_at": {
        "$date": "2016-02-02T08:03:36.261Z"
    },
    "_acl": {
        "7sT0tCqA25": {
            "r": true
        },
        "role:Administrator": {
            "r": true
        }
    },
    "_wperm": []
}

Through cloud code:

{
    "_id": "tzlHLw9p9W",
    "_rperm": [
        "role:Administrator",
        "7sT0tCqA25"
    ],
    "_p_client": "Client$fnSGmgEEA9",
    "amount": 4.95,
    "fee": 0.05,
    "authorized": false,
    "captured": false,
    "token": "r29MUo32h1",
    "orderNumber": "x1s37JM4X4YcDiFx4gwQUnTh/Fw=",
    "customerEmail": "matthew.talma@gmail.com",
    "nonce": "somenouce",
    "_updated_at": {
        "$date": "2016-02-02T08:08:38.558Z"
    },
    "_created_at": {
        "$date": "2016-02-02T08:03:36.261Z"
    }
}

[gfosco]

Ah, one of the recent changes around null behaviors may have interacted here... Looks like the _wperm entry is missed.

[mtalma]

Thanks. Although it seems that the Dashboard is looking for the "_acl" entry. Even when I added the _wperm entry, I still get the wrong ACL on the Dashboard.

Perhaps, since this is an 1+ year old app, my Dashboard has an internal config setting to look at "_acl" instead of the newer format?

[gfosco]

It may be that the dashboard expects Parse to write the ACL both ways, and so the dashboard depends on the _acl field. Are you experiencing a failure in ACL security, i.e. can you test that write permissions are failing?

[mtalma]

All ParseACL test passed:

Started
....{"$set":{"foo":"bar","_updated_at":"2016-02-03T05:23:01.045Z"}}
....{"$set":{"foo":"bar","_updated_at":"2016-02-03T05:23:01.944Z"}}
..{"$set":{"_rperm":["1wOPaR7wR6","*"],"_wperm":["1wOPaR7wR6"],"_updated_at":"2016-02-03T05:23:02.345Z"}}
.{"$set":{"_rperm":["T0YH5bjpRZ","*"],"_wperm":["T0YH5bjpRZ"],"_updated_at":"2016-02-03T05:23:02.541Z"}}
.{"$set":{"_rperm":["4dU2yvpTTQ","*"],"_wperm":["4dU2yvpTTQ"],"_updated_at":"2016-02-03T05:23:02.733Z"}}
{"$set":{"_rperm":["4dU2yvpTTQ","*"],"_wperm":["4dU2yvpTTQ"],"foo":"bar","_updated_at":"2016-02-03T05:23:02.740Z"}}
.{"$set":{"_rperm":["blufhLCrzC","*"],"_wperm":["blufhLCrzC"],"_updated_at":"2016-02-03T05:23:02.976Z"}}
.{"$set":{"_rperm":["CLjnOc04gO"],"_wperm":["CLjnOc04gO","*"],"_updated_at":"2016-02-03T05:23:03.187Z"}}
.{"$set":{"_rperm":["cXSMjpop8O"],"_wperm":["cXSMjpop8O","*"],"_updated_at":"2016-02-03T05:23:03.526Z"}}
.{"$set":{"_rperm":["rlA0wMOcpM"],"_wperm":["rlA0wMOcpM","*"],"_updated_at":"2016-02-03T05:23:03.903Z"}}
{"$set":{"_rperm":["rlA0wMOcpM"],"_wperm":["rlA0wMOcpM","*"],"foo":"bar","_updated_at":"2016-02-03T05:23:03.910Z"}}
.{"$set":{"_rperm":["F7F4YbtfyB"],"_wperm":["F7F4YbtfyB","*"],"_updated_at":"2016-02-03T05:23:04.127Z"}}
...{"$set":{"foo":"bar","_updated_at":"2016-02-03T05:23:05.089Z"}}
....{"$set":{"foo":"bar","_updated_at":"2016-02-03T05:23:06.152Z"}}
..{"$set":{"foo":"bar","_updated_at":"2016-02-03T05:23:06.556Z"}}
{"$set":{"foo":"bar","_updated_at":"2016-02-03T05:23:06.556Z"}}
...


29 specs, 0 failures
Finished in 6.91 seconds

Is there any way to support the newer _wperm and _rperm structure when viewing ACL on the Dashboard or would we have to hack it to also output the "_acl" entry?

[gfosco]

Just wanted to alert @drew-gross of this because of dashboard work.

[drew-gross]

Hey @mtalma, please try this from the Parse Server Dashboard (https://github.com/ParsePlatform/parse-dashboard) and if you have issues, open an issue on the repository.

[carmenlau]

I got the same problem here. When I change the ACL in parse-server, only _rperm and _wperm are changed, _acl will keep the old value. Parse.com dashboard will show the old value, and Parse Server Dashboard will show the updated ACL _rperm and _wperm. But the problem is when I update the ACL in parse.com, _rperm and _wperm will be overwritten to the old value.

Is this behavior expected?

_acl will be deprecated after migrate to parse-server?

Thanks!:)