I am running a clean Heroku & MLab installation of the Parse Server (https://github.com/ParsePlatform/parse-server-example), which I am controlling using the Parse Server Dashboard (https://github.com/ParsePlatform/parse-dashboard).
I can make Rest API calls & create new classes. How do I prevent new classes from being created through API calls(either by logged in users or anonymously)?
It looks like there is no control of this in the Parse Server Dashboard at present.
I've found the answer to my question here:
http://stansidel.com/2016/03/parse-server-security-considerations-and-server-updates/
Setting the allowClientClassCreation which is one of the advanced options in the Parse Server setup.
I have set enableAnonymousUsers to false which prevents anonymous calls to the API.
The relevant snippet of code in the index.js now looks as follows:
var api = new ParseServer({
databaseURI: databaseUri || 'mongodb://localhost:27017/dev',
cloud: process.env.CLOUD_CODE_MAIN || __dirname + '/cloud/main.js',
appId: process.env.APP_ID || 'myAppId',
masterKey: process.env.MASTER_KEY || '', //Add your master key here. Keep it secret!
serverURL: process.env.SERVER_URL || 'http://localhost:1337/parse', // Don't forget to change to https if needed
enableAnonymousUsers: process.env.ANON_USERS || false,
allowClientClassCreation: process.env.CLIENT_CLASS_CREATION || false,
liveQuery: {
classNames: ["Posts", "Comments"] // List of classes to support for query subscriptions
}
});
来源:https://stackoverflow.com/questions/36657486/parse-server-security