Session ACL is "Public RW" while its protected

[ivan-liljeqvist]

New Issue Checklist

• [x ] I am not disclosing a vulnerability.
• [x ] I am not just asking a question.
• [ x] I have searched through existing issues.
• [ x] I can reproduce the issue with the latest version of Parse Server.

Issue Description

ACL for the Session class says Public Read and Write for all rows which is confusing for developers.

Parse docs explain that ACL should be set to a role or a user id in order to be protected.

Session Class seems to be protected under the hood but the UI says Public Read and Write in the ACL column which we should fix.

Steps to reproduce

Spin up a server and login a user.

Actual Outcome

All rows in Session class has ACL set to "Public Read and Write"

Expected Outcome

Environment

All rows in Session class should have ACL set to userID

Server

• Parse Server version: latets
• Operating system: mac
• Local or remote host (AWS, Azure, Google Cloud, Heroku, Digital Ocean, etc): local

Database

• System (MongoDB or Postgres): mongo
• Database version: not sure
• Local or remote host (MongoDB Atlas, mLab, AWS, Azure, Google Cloud, etc): local

Client

• SDK (iOS, Android, JavaScript, PHP, Unity, etc): JS
• SDK version: latest

Logs

[parse-github-assistant[bot]]

Thanks for opening this issue!

• 🚀 You can help us to fix this issue faster by opening a pull request with a failing test. See our Contribution Guide for how to make a pull request, or read our New Contributor's Guide if this is your first time contributing.

[mtrezza]

the UI says

Do you mean the UI in Parse Dashboard?

[ivan-liljeqvist]

Yea exactly I realize now it’s not the correct repo for this issue - I can move it to the dashboard repo?

[mtrezza]

Are you referring to the dialog below? If yes, what are the changes you propose?

It doesn't say "all fields", so the information is at least not incorrect. But as I understand from your issue, it doesn't mention that _Session is a special class that has some access limitations built-into Parse Server. Since these limitations can change anytime on the server side, I don't think a specific message should be built into Parse Dashboard. The message would become incorrect, when using a different version of Parse Sever or just a different server configuration.

[ivan-liljeqvist]

No I am referring to the ACL column. It says "Public Read and Write" for all rows.

Each user can only get Sessions belonging to them.

Therefore the UI should say userId for each row and not Public Read and Write

I understand that _Session is a special class, but our developers ask us to explain why ACL is set to public RW (they are worried all their user sessions are public) and we have to explain to them that it's a special class etcetc

It's confusing don't you agree?

[mtrezza]

Therefore the UI should say userId for each row and not Public Read and Write

Yes, I guess that makes sense. Do you want to open a PR to fix this?

You could start by investigating in Parse Dashboard why it is displayed as "Public Read + Write", i.e. what the server response is and how that is interpreted by Parse Dashboard to display the "Public Read + Write". This may indeed be a Parse Server issue, because I assume the server should already send the correct ACL, which maybe should be the user ID, as you suggest.

[ivan-liljeqvist]

Yes we will check!