Strip personally identifiable information from user table for unauthorized users.
- add a config option to explicitly enumerate pii fields beyond email - in query controller, strip pii of user table results before sending out the door.
This commit is contained in:
Arthur Cinader
committed by
Florent Vilmart
Florent Vilmart
parent
a270632570
commit
01b05b060f
@@ -113,6 +113,7 @@ class ParseServer {
|
||||
webhookKey,
|
||||
fileKey,
|
||||
facebookAppIds = [],
|
||||
userSensitiveFields = [],
|
||||
enableAnonymousUsers = defaults.enableAnonymousUsers,
|
||||
allowClientClassCreation = defaults.allowClientClassCreation,
|
||||
oauth = {},
|
||||
@@ -155,6 +156,11 @@ class ParseServer {
|
||||
throw 'When using an explicit database adapter, you must also use an explicit filesAdapter.';
|
||||
}
|
||||
|
||||
userSensitiveFields = Array.from(new Set(userSensitiveFields.concat(
|
||||
defaults.userSensitiveFields,
|
||||
userSensitiveFields
|
||||
)));
|
||||
|
||||
const loggerControllerAdapter = loadAdapter(loggerAdapter, WinstonLoggerAdapter, { jsonLogs, logsFolder, verbose, logLevel, silent });
|
||||
const loggerController = new LoggerController(loggerControllerAdapter, appId);
|
||||
logging.setLogger(loggerController);
|
||||
@@ -222,7 +228,8 @@ class ParseServer {
|
||||
revokeSessionOnPasswordReset,
|
||||
databaseController,
|
||||
schemaCacheTTL,
|
||||
enableSingleSchemaCache
|
||||
enableSingleSchemaCache,
|
||||
userSensitiveFields
|
||||
});
|
||||
|
||||
// To maintain compatibility. TODO: Remove in some version that breaks backwards compatibility
|
||||
|
||||
Reference in New Issue
Block a user