fix: Custom object ID allows to acquire role privileges ([GHSA-8xq9-g7ch-35hg](https://github.com/parse-community/parse-server/security/advisories/GHSA-8xq9-g7ch-35hg)) (#9317)

src/Routers/ClassesRouter.js

@@ -106,6 +106,13 @@ export class ClassesRouter extends PromiseRouter {
   }
 
   handleCreate(req) {
+    if (
+      this.className(req) === '_User' &&
+      typeof req.body?.objectId === 'string' &&
+      req.body.objectId.startsWith('role:')
+    ) {
+      throw new Parse.Error(Parse.Error.OPERATION_FORBIDDEN, 'Invalid object ID.');
+    }
     return rest.create(
       req.config,
       req.auth,