I'm working on an application that allows users to save objects, and then view objects from other users near them. I store a geopoint on the Parse.User object, and have written a query that finds other users near the current user, and then objects that belong to those users:
var user = Parse.User.current();
var innerQuery = new Parse.Query(Parse.User);
innerQuery.near("location", user.get("location"));
innerQuery.notEqualTo("objectId", user.id);
var query = new Parse.Query(MyObject);
query.include(innerQuery);
query.matchesQuery("user", innerQuery);
return query.find()
This works great. However, I'm trying to secure user information–I don't want other users to be able to simply call user.get("location") and get the precise coordinates (and therefore address) of another user.
I tried setting the CLP to the _User table to prohibit reads and writes, but then my query fails with 403 (Forbidden).
Is there a way to secure my geopoint while still permitting near queries?
Your inner query works because the User class is by default publicly readable. The downside is that you lose the ability to protect the data you put in there as long as you have the find CLP on your class. The easiest solution is to move your searching query to Cloud while disabling find permission in your User class CLP to protect the data from being searched which includes in your case a user's location.