feat: Deprecation DEPPS12: Database option allowPublicExplain defaults to false

[mtrezza]

Summary by CodeRabbit

• Security Updates
  • Query.explain() now requires the master key by default.
  • The public explain setting now defaults to false.
  • The related deprecation entry has been removed.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[parse-github-assistant]

🚀 Thanks for opening this pull request!

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR removes the deprecation entry for databaseOptions.allowPublicExplain, changes its default from true to false, and updates runtime and tests so explain queries require the master key unless config.databaseOptions.allowPublicExplain is explicitly enabled.

Changes

Cohort / File(s)	Summary
Deprecation docs & metadata DEPRECATIONS.md, src/Deprecator/Deprecations.js	Removed the deprecation entry for databaseOptions.allowPublicExplain; updated DEPRECATIONS.md to mark DEPPS12 as removed and changed its wording to indicate the default is now false.
Option definitions & comments src/Options/Definitions.js, src/Options/index.js	Changed DatabaseOptions.allowPublicExplain default from true to false; updated corresponding comment/documentation default value.
Runtime behavior src/rest.js	Enforced that using the explain query parameter without the master key results in an INVALID_QUERY error unless config.databaseOptions.allowPublicExplain is explicitly enabled.
Tests spec/Deprecator.spec.js, spec/ParseQuery.spec.js	Updated tests to use the new nested option key (databaseOptions.testOption in tests) and to require useMasterKey: true for explain-related operations; removed deprecation log assertions.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Review src/rest.js to ensure the master-key enforcement around explain is correct and error codes/messages match expectations.
• Verify src/Options/Definitions.js default change doesn't conflict with other configuration handling or documented behavior.
• Run/update spec/ParseQuery.spec.js and spec/Deprecator.spec.js to confirm tests reflect the new default and nested option usage.

Possibly related PRs

• feat: Add Parse Server option allowPublicExplain to allow Parse.Query.explain without master key #9890 — Modifies handling of databaseOptions.allowPublicExplain and related defaults/deprecations; closely connected to this change.
• fix: Deprecation warning logged at server launch for nested Parse Server option even if option is explicitly set #9934 — Touches Deprecator nested-option handling and related tests that were updated here.
• fix: GridFSBucketAdapter throws when using some Parse Server specific options in MongoDB database options #9915 — Adds/centralizes the database option in options/types; relevant to the option-definition and defaults changes.

Pre-merge checks and finishing touches

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The pull request lacks a description entirely, failing to follow the required template with essential sections like Issue link, Approach, and Tasks checklist.	Add a comprehensive PR description following the template: include the issue link, describe the approach and changes, and check relevant task items.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title accurately and specifically describes the main change: implementing Deprecation DEPPS12 where allowPublicExplain defaults to false.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 16ac26b and 3e1dfc1.

📒 Files selected for processing (4)

• DEPRECATIONS.md (1 hunks)
• src/Deprecator/Deprecations.js (0 hunks)
• src/Options/Definitions.js (1 hunks)
• src/Options/index.js (1 hunks)

💤 Files with no reviewable changes (1)

• src/Deprecator/Deprecations.js

🚧 Files skipped from review as they are similar to previous changes (2)

• src/Options/index.js
• src/Options/Definitions.js

🧰 Additional context used

🧠 Learnings (9)

📓 Common learnings

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:48.786Z
Learning: For Parse Server PRs, always suggest an Angular commit convention PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion on every commit. The format should be: type(scope): description. Common types include feat, fix, perf, refactor, docs, test, chore. The scope should identify the subsystem (e.g., graphql, rest, push, security). The description should be action-oriented and clearly convey the change's impact to developers.

📚 Learning: 2025-12-02T06:55:53.808Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-12-02T06:55:53.808Z
Learning: When reviewing Parse Server PRs that add or modify Parse Server options, always verify that changes are properly reflected in three files: src/Options/index.js (where changes originate), src/Options/Definitions.js, and src/Options/docs.js. The correct workflow is: make changes in index.js first, then run `npm run definitions` to automatically replicate the changes to Definitions.js and docs.js.

Applied to files:

• DEPRECATIONS.md

📚 Learning: 2025-11-08T13:46:04.940Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: For new Parse Server options, verify that the option is documented in src/Options/index.js and that npm run definitions has been executed to reflect changes in src/Options/docs.js and src/Options/Definitions.js. README.md documentation is a bonus but not required for new options.

Applied to files:

• DEPRECATIONS.md

📚 Learning: 2025-11-08T13:46:04.940Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

Applied to files:

• DEPRECATIONS.md

📚 Learning: 2025-11-17T15:02:48.786Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:48.786Z
Learning: For Parse Server PRs, always suggest an Angular commit convention PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion on every commit. The format should be: type(scope): description. Common types include feat, fix, perf, refactor, docs, test, chore. The scope should identify the subsystem (e.g., graphql, rest, push, security). The description should be action-oriented and clearly convey the change's impact to developers.

Applied to files:

• DEPRECATIONS.md

📚 Learning: 2025-11-17T15:02:24.824Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:24.824Z
Learning: For Parse Server PRs, always suggest an Angular-style PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion with every new commit to the PR.

Applied to files:

• DEPRECATIONS.md

📚 Learning: 2025-08-27T09:08:34.252Z

Learnt from: EmpiDev
Repo: parse-community/parse-server PR: 9770
File: src/triggers.js:446-454
Timestamp: 2025-08-27T09:08:34.252Z
Learning: When analyzing function signature changes in Parse Server codebase, verify that call sites are actually incorrect before flagging them. Passing tests are a strong indicator that function calls are already properly aligned with new signatures.

Applied to files:

• DEPRECATIONS.md

📚 Learning: 2025-12-02T08:00:20.138Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-12-02T08:00:20.138Z
Learning: For Parse Server 9 release (PR #9938 and related), the parse/push-adapter dependency must be upgraded to version >= 8.0.0, not 7.0.0. Version 8.x drops support for Node 18.

Applied to files:

• DEPRECATIONS.md

📚 Learning: 2025-12-02T08:00:08.440Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-12-02T08:00:08.440Z
Learning: For Parse Server 9 release preparation, the parse/push-adapter dependency should be upgraded to version >= 8.0.0, not 7.x, as version 8.x is required despite dropping Node 18 support (which aligns with Parse Server 9's removal of EOL Node versions).

Applied to files:

• DEPRECATIONS.md

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)

• GitHub Check: Redis Cache
• GitHub Check: MongoDB 7, ReplicaSet
• GitHub Check: Node 22
• GitHub Check: Circular Dependencies
• GitHub Check: Docker Build
• GitHub Check: PostgreSQL 16, PostGIS 3.5
• GitHub Check: Code Analysis (javascript)
• GitHub Check: Benchmarks

🔇 Additional comments (1)

DEPRECATIONS.md (1)

18-18: DEPPS12 entry is correctly aligned with implementation. ✅

The deprecation entry accurately reflects the breaking change: allowPublicExplain now defaults to false, requiring the master key for explain queries by default (a security improvement). The status and timeline are consistent with other deprecation removals in the Parse Server 9 release cycle.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[parseplatformorg]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[mtrezza]

BREAKING CHANGE: This release changes the MongoDB database option allowPublicExplain default to false (Deprecation DEPPS12).

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

src/Options/Definitions.js (1)

1149-1155: Default value direction likely incorrect vs PR objective/title (false vs “defaults to true”).

Line 1154 sets default: false, which contradicts the PR objective/title (“defaults to true”) and the DEPRECATIONS.md DEPPS12 row text.

If the intent is “default to true”, change to:

  allowPublicExplain: {
    env: 'PARSE_SERVER_DATABASE_ALLOW_PUBLIC_EXPLAIN',
    help:
      'Set to `true` to allow `Parse.Query.explain` without master key.<br><br>\u26A0\uFE0F Enabling this option may expose sensitive query performance data to unauthorized users and could potentially be exploited for malicious purposes.',
    action: parsers.booleanParser,
-   default: false,
+   default: true,
  },

If the intent is “default to false” (more secure), then the PR title/objectives + DEPRECATIONS.md need to be updated accordingly.

src/rest.js (1)

39-48: Security-sensitive behavior vs PR objective mismatch: this makes public explain opt-in by default.

Line 40 hard-defaults allowPublicExplain to false, and Lines 42-47 reject explain without master key unless explicitly enabled. That contradicts the PR objective/title (“defaults to true”).

If the intent is actually to default to true, update:

-    const allowPublicExplain = config.databaseOptions?.allowPublicExplain ?? false;
+    const allowPublicExplain = config.databaseOptions?.allowPublicExplain ?? true;

Otherwise (if the intent is to default to false), please update the PR title/objectives and DEPRECATIONS.md DEPPS12 row to match this behavior.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between aa98357 and 16ac26b.

📒 Files selected for processing (7)

• DEPRECATIONS.md (1 hunks)
• spec/Deprecator.spec.js (2 hunks)
• spec/ParseQuery.spec.js (3 hunks)
• src/Deprecator/Deprecations.js (0 hunks)
• src/Options/Definitions.js (1 hunks)
• src/Options/index.js (1 hunks)
• src/rest.js (1 hunks)

💤 Files with no reviewable changes (1)

• src/Deprecator/Deprecations.js

🧰 Additional context used

🧠 Learnings (13)

📓 Common learnings

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: When reviewing Parse Server PRs that add new features, always check whether the feature is documented in the README.md file, though for new Parse Server options this is optional rather than required.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:48.786Z
Learning: For Parse Server PRs, always suggest an Angular commit convention PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion on every commit. The format should be: type(scope): description. Common types include feat, fix, perf, refactor, docs, test, chore. The scope should identify the subsystem (e.g., graphql, rest, push, security). The description should be action-oriented and clearly convey the change's impact to developers.

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-17T15:02:24.824Z
Learning: For Parse Server PRs, always suggest an Angular-style PR title that would make a meaningful changelog entry for developers. Update the PR title suggestion with every new commit to the PR.

📚 Learning: 2025-11-08T13:46:04.940Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-11-08T13:46:04.940Z
Learning: For new Parse Server options, verify that the option is documented in src/Options/index.js and that npm run definitions has been executed to reflect changes in src/Options/docs.js and src/Options/Definitions.js. README.md documentation is a bonus but not required for new options.

Applied to files:

• src/Options/Definitions.js
• src/rest.js
• spec/Deprecator.spec.js
• src/Options/index.js

📚 Learning: 2025-12-02T06:55:53.808Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-12-02T06:55:53.808Z
Learning: When reviewing Parse Server PRs that add or modify Parse Server options, always verify that changes are properly reflected in three files: src/Options/index.js (where changes originate), src/Options/Definitions.js, and src/Options/docs.js. The correct workflow is: make changes in index.js first, then run `npm run definitions` to automatically replicate the changes to Definitions.js and docs.js.

Applied to files:

• src/Options/Definitions.js
• spec/Deprecator.spec.js
• src/Options/index.js

📚 Learning: 2025-09-21T15:43:32.265Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9858
File: src/GraphQL/ParseGraphQLServer.js:176-178
Timestamp: 2025-09-21T15:43:32.265Z
Learning: The GraphQL playground feature in ParseGraphQLServer.js (applyPlayground method) is intended for development environments only, which is why it includes the master key in client-side headers.

Applied to files:

• src/Options/Definitions.js
• spec/ParseQuery.spec.js

📚 Learning: 2025-05-04T20:41:05.147Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1312-1338
Timestamp: 2025-05-04T20:41:05.147Z
Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with `done()`.

Applied to files:

• spec/Deprecator.spec.js
• spec/ParseQuery.spec.js

📚 Learning: 2025-08-27T09:08:34.252Z

Learnt from: EmpiDev
Repo: parse-community/parse-server PR: 9770
File: src/triggers.js:446-454
Timestamp: 2025-08-27T09:08:34.252Z
Learning: When analyzing function signature changes in Parse Server codebase, verify that call sites are actually incorrect before flagging them. Passing tests are a strong indicator that function calls are already properly aligned with new signatures.

Applied to files:

• spec/Deprecator.spec.js

📚 Learning: 2025-10-16T19:27:05.311Z

Learnt from: Moumouls
Repo: parse-community/parse-server PR: 9883
File: spec/CloudCodeLogger.spec.js:410-412
Timestamp: 2025-10-16T19:27:05.311Z
Learning: In spec/CloudCodeLogger.spec.js, the test "should log cloud function triggers using the silent log level" (around lines 383-420) is known to be flaky and requires the extra `await new Promise(resolve => setTimeout(resolve, 100))` timeout after awaiting `afterSavePromise` for reliability, even though it may appear redundant.

Applied to files:

• spec/Deprecator.spec.js
• spec/ParseQuery.spec.js

📚 Learning: 2025-05-09T09:59:06.289Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1340-1375
Timestamp: 2025-05-09T09:59:06.289Z
Learning: Tests in the parse-server repository should use promise-based approaches rather than callback patterns with `done()`. Use a pattern where a Promise is created that resolves when the event occurs, then await that promise.

Applied to files:

• spec/Deprecator.spec.js
• spec/ParseQuery.spec.js

📚 Learning: 2025-04-30T19:31:35.344Z

Learnt from: RahulLanjewar93
Repo: parse-community/parse-server PR: 9744
File: spec/ParseLiveQuery.spec.js:0-0
Timestamp: 2025-04-30T19:31:35.344Z
Learning: In the Parse Server codebase, the functions in QueryTools.js are typically tested through end-to-end behavior tests rather than direct unit tests, even though the functions are exported from the module.

Applied to files:

• spec/ParseQuery.spec.js

📚 Learning: 2025-05-09T09:59:06.289Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1340-1375
Timestamp: 2025-05-09T09:59:06.289Z
Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with `done()`. The preferred pattern is to create a Promise that resolves when an expected event occurs, then await that Promise.

Applied to files:

• spec/ParseQuery.spec.js

📚 Learning: 2025-08-27T12:33:06.237Z

Learnt from: EmpiDev
Repo: parse-community/parse-server PR: 9770
File: src/triggers.js:467-477
Timestamp: 2025-08-27T12:33:06.237Z
Learning: In the Parse Server codebase, maybeRunAfterFindTrigger is called in production with Parse.Query objects constructed via withJSON(), so the plain object query handling bug only affects tests, not production code paths.

Applied to files:

• spec/ParseQuery.spec.js

📚 Learning: 2025-12-02T08:00:20.138Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-12-02T08:00:20.138Z
Learning: For Parse Server 9 release (PR #9938 and related), the parse/push-adapter dependency must be upgraded to version >= 8.0.0, not 7.0.0. Version 8.x drops support for Node 18.

Applied to files:

• DEPRECATIONS.md

📚 Learning: 2025-12-02T08:00:08.440Z

Learnt from: mtrezza
Repo: parse-community/parse-server PR: 0
File: :0-0
Timestamp: 2025-12-02T08:00:08.440Z
Learning: For Parse Server 9 release preparation, the parse/push-adapter dependency should be upgraded to version >= 8.0.0, not 7.x, as version 8.x is required despite dropping Node 18 support (which aligns with Parse Server 9's removal of EOL Node versions).

Applied to files:

• DEPRECATIONS.md

🧬 Code graph analysis (1)

spec/ParseQuery.spec.js (2)

spec/PushController.spec.js (1)

• result (32-32)

spec/Parse.Push.spec.js (1)

• result (8-8)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (16)

• GitHub Check: Docker Build
• GitHub Check: Node 18
• GitHub Check: PostgreSQL 17, PostGIS 3.5
• GitHub Check: Redis Cache
• GitHub Check: Node 22
• GitHub Check: Node 20
• GitHub Check: MongoDB 7, ReplicaSet
• GitHub Check: PostgreSQL 15, PostGIS 3.4
• GitHub Check: PostgreSQL 16, PostGIS 3.5
• GitHub Check: MongoDB 6, ReplicaSet
• GitHub Check: PostgreSQL 15, PostGIS 3.3
• GitHub Check: MongoDB 8, ReplicaSet
• GitHub Check: PostgreSQL 18, PostGIS 3.6
• GitHub Check: Code Analysis (javascript)
• GitHub Check: PostgreSQL 15, PostGIS 3.5
• GitHub Check: Benchmarks

🔇 Additional comments (4)

spec/Deprecator.spec.js (1)

49-61: Good test isolation for nested dot-notation deprecation keys.

Switching the test from databaseOptions.allowPublicExplain to a dummy databaseOptions.testOption makes the Deprecator unit test resilient to future behavior/security changes of allowPublicExplain.

Also applies to: 62-72

src/Options/Definitions.js (1)

1-5: Verified: src/Options/docs.js was properly regenerated with consistent defaults.

The allowPublicExplain option is consistently defined across all three files:

• src/Options/index.js (line 756-757): :DEFAULT: false
• src/Options/Definitions.js (line 1154): default: false
• src/Options/docs.js (line 261): Help text matches, confirming regeneration occurred

All files reflect the same default value and documentation, including the security warning with proper Unicode formatting.

spec/ParseQuery.spec.js (2)

5362-5375: LGTM! Master key correctly added for default explain behavior.

The test now correctly passes { useMasterKey: true } when using explain, which aligns with the new default behavior where allowPublicExplain defaults to false.

---

5535-5565: LGTM! Test correctly validates new default behavior.

The updated test properly validates that:

1. explain() fails without master key when allowPublicExplain is undefined (default)
2. explain() succeeds with master key

The test description "explain requires master key by default" accurately reflects the breaking change.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.54%. Comparing base (8f877d4) to head (3e1dfc1).
⚠️ Report is 3 commits behind head on alpha.

Additional details and impacted files

@@           Coverage Diff           @@
##            alpha    #9975   +/-   ##
=======================================
  Coverage   92.53%   92.54%           
=======================================
  Files         190      190           
  Lines       15434    15434           
  Branches      176      176           
=======================================
+ Hits        14282    14283    +1     
+ Misses       1140     1139    -1     
  Partials       12       12           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[parseplatformorg]

🎉 This change has been released in version 9.0.0-alpha.9