joe/kami-parse-server
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Deprecation DEPPS12: Database option allowPublicExplain defaults to false (#9975)

Browse Source 
BREAKING CHANGE: This release changes the MongoDB database option `allowPublicExplain` default to `false` (Deprecation DEPPS12).
This commit is contained in:
Manuel
2025-12-12 21:07:07 +01:00
committed by GitHub
parent a4c8d9efe0
commit c1c7e6976d
7 changed files with 17 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
src/Deprecator/Deprecations.js
View File

@@ -17,5 +17,4 @@
*/
module.exports = [
{ optionKey: 'enableInsecureAuthAdapters', changeNewDefault: 'false' },
{ optionKey: 'databaseOptions.allowPublicExplain', changeNewDefault: 'false' },
];

2
src/Options/Definitions.js
View File

@@ -1144,7 +1144,7 @@ module.exports.DatabaseOptions = {
help:
'Set to `true` to allow `Parse.Query.explain` without master key.<br><br>\u26A0\uFE0F Enabling this option may expose sensitive query performance data to unauthorized users and could potentially be exploited for malicious purposes.',
action: parsers.booleanParser,
default: true,
default: false,
},
appName: {
env: 'PARSE_SERVER_DATABASE_APP_NAME',

2
src/Options/index.js
View File

@@ -751,7 +751,7 @@ export interface DatabaseOptions {
/* Set to `true` to disable validation of index fields. When disabled, indexes can be created even if the fields do not exist in the schema. This can be useful when creating indexes on fields that will be added later. */
disableIndexFieldValidation: ?boolean;
/* Set to `true` to allow `Parse.Query.explain` without master key.<br><br>⚠️ Enabling this option may expose sensitive query performance data to unauthorized users and could potentially be exploited for malicious purposes.
:DEFAULT: true */
:DEFAULT: false */
allowPublicExplain: ?boolean;
/* An array of MongoDB client event configurations to enable logging of specific events. */
logClientEvents: ?(LogClientEvent[]);

2
src/rest.js
View File

@@ -37,7 +37,7 @@ async function runFindTriggers(
const { isGet } = options;
if (restOptions && restOptions.explain && !auth.isMaster) {
const allowPublicExplain = config.databaseOptions?.allowPublicExplain ?? true;
const allowPublicExplain = config.databaseOptions?.allowPublicExplain ?? false;
if (!allowPublicExplain) {
throw new Parse.Error(