Secure _GLOBALCONFIG table

[neophob]

Issue Description

The _GLOBALCONFIG table is used to save Config values when using Parse Dashboard. As I use the values stored in this table only in Cloud Code I would prevent access from users (like remove all CLP permissions). Currently its world readable:

  let query = new Parse.Query('_GlobalConfig');
  query.limit(4);
  return query.find({})
    .then(msg => {
      return msg;
    })

Result:

_GLOBALCONFIG table reads:
  [ ParseObject { _objCount: 11, className: '_GlobalConfig', id: '1' } ]

This issue also might affect the _PushStatus and __JOBS__ tables.

Environment Setup

• Server
  • parse-server version: 2.2.11

[drew-gross]

This is the intended behaviour, as Parse Config is designed to be used by the clients. If you want to submit a PR that allows you to have private config, we would gladly accept it!

[neophob]

Ok I see - what about the _PushStatus and __JOBS__ tables?

[drew-gross]

_PushStatus already requires the master key. Jobs is not in the _SCHEMA so it should be fine.