I have some data in my Parse server that is meant to be private to each user, so when I created the objects I gave them an ACL providing read & write access only to the user who created them.
I am now moving some of the code that reads/writes to the database to cloud code, and I noticed that queries no longer return results with those ACLs. The request.user parameter passed to the cloud code function is set to the logged-in user, so I assumed that the cloud code functions were running as that user, but that seems not to be the case.
I could run the queries with the master key, but I'd prefer to run as the current user, so the function can't accidentally mess with another user's data. Instead I'm passing in the session token:
let options = { sessionToken: request.headers['x-parse-session-token'] };
new Parse.Query('MyClass').find(options);
That works, but seems convoluted. Is this the best way?
you're right...
When you execute any CRUD operation in cloud you must pass the logged in user session token (if this object is protected with ACL). In order to do this you need to get the sessionToken from the user object and pass it as parameter to function that you are execute. So in your cloud code you should do something like this:
var query = new Parse.Query("MyQuery");
query.find({
sessionToken: request.user.get("sessionToken")
}).then(results => {
});
In the code above I pass the session token of the current logged in user to the query. The same you can do when saving an object or deleting it...