Improve default Parse.User security

[dblythy]

New Feature / Enhancement Checklist

• I am not disclosing a vulnerability.
• I am not just asking a question.
• I have searched through existing issues.

Current Limitation

By default, when a new user is created, it will have public R, unless overriden by a cloud function.

Feature / Enhancement Description

Currently, to secure users, you need to create a cloud function. In my view, the reverse should be the case - that by default, the Parse.User ACL is R+W false, and if you want the "old" functionality, you should use a cloud function.

The changelog would be:

Breaking Change: Parse.User now defaults to public R false on signup. To achieve public read on sign up, use a cloud trigger:

Parse.Cloud.beforeSave(Parse.User, ({object}) => {
  if (!object.existed()) {
    const acl = new Parse.ACL();
    object.setPublicReadAccess(true);
    object.setACL(acl);
  }
});

Alternatives / Workarounds

Create a cloud function to prevent public R access on signup. It's my view this should be reversed - a cloud function shouldn't be needed to secure the user class.

[mtrezza]

Thanks for suggesting.

From a security perspective we want to move towards a strict default, so your suggestion to change the default makes sense.

As we are moving towards phased depreciation, before this would become a breaking change, the following would need to be implemented:

• A Parse Server option that allows to define whether a new User should be public or private with the default being public (status quo)
• A "default deprecation warning" that the default will change in a future version (PR for this is in the works to standardize and centralize these deprecation warnings)
• A Security Check that if the option is public (by default or explicitly set) it constitutes a weak security setting.
• A new Parse Server release needs to be published (planned for the coming weeks)
• Not earlier than 12 months after the new release has been published (6 months normally, but for this first release following the new versioning system, we give developers more time to hop on the new release train and upgrade), the default can be changed and the deprecation warning removed. Depending on developer feedback, the deprecation may be further postponed.

[dblythy]

Awesome, thanks for the detailed write up. This will be a good way to show the depreciation policy, considering it will only change a few lines of code. I’ll submit a PR shortly.

[dblythy]

Closed via #7319. On master, if you set enforcePrivateUsers to true, users ACL won't have public read on signup.