feat: Add protectedFieldsOwnerExempt option to control _User class owner exemption for protectedFields (#10280)

Author: mtrezza

spec/ProtectedFields.spec.js

@@ -1837,4 +1837,140 @@ describe('ProtectedFields', function () {
       await expectAsync(restQuery.denyProtectedFields()).toBeResolved();
     });
   });
+
+  describe('protectedFieldsOwnerExempt', function () {
+    it('owner sees own protectedFields when protectedFieldsOwnerExempt is true', async function () {
+      const protectedFields = {
+        _User: {
+          '*': ['phone'],
+        },
+      };
+      await reconfigureServer({ protectedFields, protectedFieldsOwnerExempt: true });
+      const user1 = new Parse.User();
+      user1.setUsername('user1');
+      user1.setPassword('password');
+      user1.set('phone', '555-1234');
+      const acl = new Parse.ACL();
+      acl.setPublicReadAccess(true);
+      user1.setACL(acl);
+      await user1.signUp();
+      const sessionToken1 = user1.getSessionToken();
+
+      // Owner fetches own object — phone should be visible
+      const response = await request({
+        url: `http://localhost:8378/1/users/${user1.id}`,
+        headers: {
+          'X-Parse-Application-Id': 'test',
+          'X-Parse-REST-API-Key': 'rest',
+          'X-Parse-Session-Token': sessionToken1,
+        },
+      });
+      expect(response.data.phone).toBe('555-1234');
+
+      // Another user fetches the first user — phone should be hidden
+      const user2 = new Parse.User();
+      user2.setUsername('user2');
+      user2.setPassword('password');
+      await user2.signUp();
+      const response2 = await request({
+        url: `http://localhost:8378/1/users/${user1.id}`,
+        headers: {
+          'X-Parse-Application-Id': 'test',
+          'X-Parse-REST-API-Key': 'rest',
+          'X-Parse-Session-Token': user2.getSessionToken(),
+        },
+      });
+      expect(response2.data.phone).toBeUndefined();
+    });
+
+    it('owner does NOT see own protectedFields when protectedFieldsOwnerExempt is false', async function () {
+      await reconfigureServer({
+        protectedFields: {
+          _User: {
+            '*': ['phone'],
+          },
+        },
+        protectedFieldsOwnerExempt: false,
+      });
+      const user = await Parse.User.signUp('user1', 'password');
+      const sessionToken = user.getSessionToken();
+      user.set('phone', '555-1234');
+      await user.save(null, { sessionToken });
+
+      // Owner fetches own object — phone should be hidden
+      const response = await request({
+        url: `http://localhost:8378/1/users/${user.id}`,
+        headers: {
+          'X-Parse-Application-Id': 'test',
+          'X-Parse-REST-API-Key': 'rest',
+          'X-Parse-Session-Token': sessionToken,
+        },
+      });
+      expect(response.data.phone).toBeUndefined();
+
+      // Master key — phone should be visible
+      const masterResponse = await request({
+        url: `http://localhost:8378/1/users/${user.id}`,
+        headers: {
+          'X-Parse-Application-Id': 'test',
+          'X-Parse-Master-Key': 'test',
+        },
+      });
+      expect(masterResponse.data.phone).toBe('555-1234');
+    });
+
+    it('non-_User classes unaffected by protectedFieldsOwnerExempt', async function () {
+      await reconfigureServer({
+        protectedFields: {
+          TestClass: {
+            '*': ['secret'],
+          },
+        },
+        protectedFieldsOwnerExempt: true,
+      });
+      const user = await Parse.User.signUp('user1', 'password');
+      const obj = new Parse.Object('TestClass');
+      obj.set('secret', 'hidden-value');
+      obj.setACL(new Parse.ACL(user));
+      await obj.save(null, { sessionToken: user.getSessionToken() });
+
+      // Owner fetches own object — secret should still be hidden (non-_User class)
+      const response = await request({
+        url: `http://localhost:8378/1/classes/TestClass/${obj.id}`,
+        headers: {
+          'X-Parse-Application-Id': 'test',
+          'X-Parse-REST-API-Key': 'rest',
+          'X-Parse-Session-Token': user.getSessionToken(),
+        },
+      });
+      expect(response.data.secret).toBeUndefined();
+    });
+
+    it('/users/me respects protectedFieldsOwnerExempt: false', async function () {
+      await reconfigureServer({
+        protectedFields: {
+          _User: {
+            '*': ['phone'],
+          },
+        },
+        protectedFieldsOwnerExempt: false,
+      });
+      const user = await Parse.User.signUp('user1', 'password');
+      const sessionToken = user.getSessionToken();
+      user.set('phone', '555-1234');
+      await user.save(null, { sessionToken });
+
+      // GET /users/me — phone should be hidden
+      const response = await request({
+        url: 'http://localhost:8378/1/users/me',
+        headers: {
+          'X-Parse-Application-Id': 'test',
+          'X-Parse-REST-API-Key': 'rest',
+          'X-Parse-Session-Token': sessionToken,
+        },
+      });
+      expect(response.data.phone).toBeUndefined();
+      expect(response.data.objectId).toBe(user.id);
+    });
+  });
 });

src/Controllers/DatabaseController.js

@@ -195,7 +195,8 @@ const filterSensitiveData = (
   schema: SchemaController.SchemaController | any,
   className: string,
   protectedFields: null | Array<any>,
-  object: any
+  object: any,
+  protectedFieldsOwnerExempt: ?boolean
 ) => {
   let userId = null;
   if (auth && auth.user) { userId = auth.user.id; }
@@ -271,8 +272,9 @@ const filterSensitiveData = (
   }
 
   /* special treat for the user class: don't filter protectedFields if currently loggedin user is
-  the retrieved user */
-  if (!(isUserClass && userId && object.objectId === userId)) {
+  the retrieved user, unless protectedFieldsOwnerExempt is false */
+  const isOwnerExempt = protectedFieldsOwnerExempt !== false && isUserClass && userId && object.objectId === userId;
+  if (!isOwnerExempt) {
     protectedFields && protectedFields.forEach(k => delete object[k]);
 
     // fields not requested by client (excluded),
@@ -1407,7 +1409,8 @@ class DatabaseController {
                         schemaController,
                         className,
                         protectedFields,
-                        object
+                        object,
+                        this.options.protectedFieldsOwnerExempt
                       );
                     })
                   )
@@ -1667,7 +1670,7 @@ class DatabaseController {
     const protectedFields = perms.protectedFields;
     if (!protectedFields) { return null; }
 
-    if (aclGroup.indexOf(query.objectId) > -1) { return null; }
+    if (className === '_User' && this.options.protectedFieldsOwnerExempt !== false && aclGroup.indexOf(query.objectId) > -1) { return null; }
 
     // for queries where "keys" are set and do not include all 'userField':{field},
     // we have to transparently include it, and then remove before returning to client
@@ -1989,7 +1992,7 @@ class DatabaseController {
   }
 
   static _validateQuery: (any, boolean, boolean, boolean) => void;
-  static filterSensitiveData: (boolean, boolean, any[], any, any, any, string, any[], any) => void;
+  static filterSensitiveData: (boolean, boolean, any[], any, any, any, string, any[], any, ?boolean) => void;
 }
 
 module.exports = DatabaseController;

src/Deprecator/Deprecations.js

@@ -86,4 +86,9 @@ module.exports = [
     changeNewKey: '',
     solution: "Auth providers are always validated on login regardless of this setting. Set 'allowExpiredAuthDataToken' to 'false' or remove the option to accept the future removal.",
   },
+  {
+    optionKey: 'protectedFieldsOwnerExempt',
+    changeNewDefault: 'false',
+    solution: "Set 'protectedFieldsOwnerExempt' to 'false' to apply protectedFields consistently to the user's own _User object (same as all other classes), or to 'true' to keep the current behavior where a user can see all their own fields.",
+  },
 ];

src/LiveQuery/ParseLiveQueryServer.ts

@@ -783,7 +783,7 @@ class ParseLiveQueryServer {
         res.object.className,
         protectedFields,
         obj,
-        query
+        this.config.protectedFieldsOwnerExempt
       );
     };
     res.object = filter(res.object);

src/Options/Definitions.js

@@ -470,14 +470,20 @@ module.exports.ParseServerOptions = {
   },
   protectedFields: {
     env: 'PARSE_SERVER_PROTECTED_FIELDS',
-    help: 'Protected fields that should be treated with extra security when fetching details.',
+    help: "Fields per class that are hidden from query results for specific user groups. Protected fields are stripped from the server response, but can still be used internally (e.g. in Cloud Code triggers). Configure as `{ 'ClassName': { 'UserGroup': ['field1', 'field2'] } }` where `UserGroup` is one of: `'*'` (all users), `'authenticated'` (authenticated users), `'role:RoleName'` (users with a specific role), `'userField:FieldName'` (users referenced by a pointer field), or a user `objectId` to target a specific user. When multiple groups apply, the intersection of their protected fields is used. By default, `email` is protected on the `_User` class for all users. On the `_User` class, the object owner is exempt from protected fields by default; see `protectedFieldsOwnerExempt` to change this.",
     action: parsers.objectParser,
     default: {
       _User: {
         '*': ['email'],
       },
     },
   },
+  protectedFieldsOwnerExempt: {
+    env: 'PARSE_SERVER_PROTECTED_FIELDS_OWNER_EXEMPT',
+    help: "Whether the `_User` class is exempt from `protectedFields` when the logged-in user queries their own user object. If `true` (default), a user can see all their own fields regardless of `protectedFields` configuration. If `false`, `protectedFields` applies equally to the user's own object, consistent with all other classes. Defaults to `true`.",
+    action: parsers.booleanParser,
+    default: true,
+  },
   publicServerURL: {
     env: 'PARSE_PUBLIC_SERVER_URL',
     help: 'Optional. The public URL to Parse Server. This URL will be used to reach Parse Server publicly for features like password reset and email verification links. The option can be set to a string or a function that can be asynchronously resolved. The returned URL string must start with `http://` or `https://`.',

src/Options/docs.js

@@ -168,9 +168,13 @@ export interface ParseServerOptions {
   preserveFileName: ?boolean;
   /* Personally identifiable information fields in the user table the should be removed for non-authorized users. Deprecated @see protectedFields */
   userSensitiveFields: ?(string[]);
-  /* Protected fields that should be treated with extra security when fetching details.
+  /* Fields per class that are hidden from query results for specific user groups. Protected fields are stripped from the server response, but can still be used internally (e.g. in Cloud Code triggers). Configure as `{ 'ClassName': { 'UserGroup': ['field1', 'field2'] } }` where `UserGroup` is one of: `'*'` (all users), `'authenticated'` (authenticated users), `'role:RoleName'` (users with a specific role), `'userField:FieldName'` (users referenced by a pointer field), or a user `objectId` to target a specific user. When multiple groups apply, the intersection of their protected fields is used. By default, `email` is protected on the `_User` class for all users. On the `_User` class, the object owner is exempt from protected fields by default; see `protectedFieldsOwnerExempt` to change this.
   :DEFAULT: {"_User": {"*": ["email"]}} */
   protectedFields: ?ProtectedFields;
+  /* Whether the `_User` class is exempt from `protectedFields` when the logged-in user queries their own user object. If `true` (default), a user can see all their own fields regardless of `protectedFields` configuration. If `false`, `protectedFields` applies equally to the user's own object, consistent with all other classes. Defaults to `true`.
+  :ENV: PARSE_SERVER_PROTECTED_FIELDS_OWNER_EXEMPT
+  :DEFAULT: true */
+  protectedFieldsOwnerExempt: ?boolean;
   /* Enable (or disable) anonymous users, defaults to true
   :ENV: PARSE_SERVER_ENABLE_ANON_USERS
   :DEFAULT: true */