feat: Access the internal scope of Parse Server using the new maintenanceKey; the internal scope contains unofficial and undocumented fields (prefixed with underscore _) which are used internally by Parse Server; you may want to manipulate these fields for out-of-band changes such as data migration or correction tasks; changes within the internal scope of Parse Server may happen at any time without notice or changelog entry, it is therefore recommended to look at the source code of Parse Server to understand the effects of manipulating internal fields before using the key; it is discouraged to use the maintenanceKey for routine operations in a production environment; see [access scopes](https://github.com/parse-community/parse-server#access-scopes) (#8212)

BREAKING CHANGE: Fields in the internal scope of Parse Server (prefixed with underscore `_`) are only returned using the new `maintenanceKey`; previously the `masterKey` allowed reading of internal fields; see [access scopes](https://github.com/parse-community/parse-server#access-scopes) for a comparison of the keys' access permissions (#8212)

src/rest.js

@@ -111,7 +111,7 @@ function del(config, auth, className, objectId, context) {
             if (response && response.results && response.results.length) {
               const firstResult = response.results[0];
               firstResult.className = className;
-              if (className === '_Session' && !auth.isMaster) {
+              if (className === '_Session' && !auth.isMaster && !auth.isMaintenance) {
                 if (!auth.user || firstResult.user.objectId !== auth.user.id) {
                   throw new Parse.Error(Parse.Error.INVALID_SESSION_TOKEN, 'Invalid session token');
                 }
@@ -134,7 +134,7 @@ function del(config, auth, className, objectId, context) {
       return Promise.resolve({});
     })
     .then(() => {
-      if (!auth.isMaster) {
+      if (!auth.isMaster && !auth.isMaintenance) {
         return auth.getUserRoles();
       } else {
         return;
@@ -144,7 +144,7 @@ function del(config, auth, className, objectId, context) {
     .then(s => {
       schemaController = s;
       const options = {};
-      if (!auth.isMaster) {
+      if (!auth.isMaster && !auth.isMaintenance) {
         options.acl = ['*'];
         if (auth.user) {
           options.acl.push(auth.user.id);
@@ -237,7 +237,12 @@ function update(config, auth, className, restWhere, restObject, clientSDK, conte
 
 function handleSessionMissingError(error, className, auth) {
   // If we're trying to update a user without / with bad session token
-  if (className === '_User' && error.code === Parse.Error.OBJECT_NOT_FOUND && !auth.isMaster) {
+  if (
+    className === '_User' &&
+    error.code === Parse.Error.OBJECT_NOT_FOUND &&
+    !auth.isMaster &&
+    !auth.isMaintenance
+  ) {
     throw new Parse.Error(Parse.Error.SESSION_MISSING, 'Insufficient auth.');
   }
   throw error;
@@ -253,7 +258,7 @@ const classesWithMasterOnlyAccess = [
 ];
 // Disallowing access to the _Role collection except by master key
 function enforceRoleSecurity(method, className, auth) {
-  if (className === '_Installation' && !auth.isMaster) {
+  if (className === '_Installation' && !auth.isMaster && !auth.isMaintenance) {
     if (method === 'delete' || method === 'find') {
       const error = `Clients aren't allowed to perform the ${method} operation on the installation collection.`;
       throw new Parse.Error(Parse.Error.OPERATION_FORBIDDEN, error);
@@ -261,7 +266,11 @@ function enforceRoleSecurity(method, className, auth) {
   }
 
   //all volatileClasses are masterKey only
-  if (classesWithMasterOnlyAccess.indexOf(className) >= 0 && !auth.isMaster) {
+  if (
+    classesWithMasterOnlyAccess.indexOf(className) >= 0 &&
+    !auth.isMaster &&
+    !auth.isMaintenance
+  ) {
     const error = `Clients aren't allowed to perform the ${method} operation on the ${className} collection.`;
     throw new Parse.Error(Parse.Error.OPERATION_FORBIDDEN, error);
   }