changelogs/CHANGELOG_release.md
ParseServerRESTController (#10291) (60a58ec)rawValues and rawFieldNames options for aggregation queries (#10438) (f26700e)/sessions/me bypasses _Session protectedFields (GHSA-g4v2-qx3q-4p64) (#10406) (d507575)/upgradeToRevocableSession ignores _Session protectedFields (#10408) (c136e2b)/login and /verifyPassword ignore _User protectedFields (#10409) (8a3db3b)protectedFields on various endpoints (#10412) (c0889c8)requestComplexity.allowRegex option to disable $regex query operator (#10418) (18482e3)requestComplexity.subqueryLimit option to limit subquery results (#10420) (bf40004)routeAllowList (#10389) (f2d06e7)fileDownload to restrict file download (#10394) (fc117ef)multipart/form-data protocol (#10395) (a3f36a2)protectedFieldsSaveResponseExempt option to strip protected fields from save responses (#10289) (4f7cb53)protectedFieldsTriggerExempt option to exempt Cloud Code triggers from protectedFields (#10288) (1610f98)partialFilterExpression in MongoDB storage adapter (#10346) (8dd7bf2)matchedCount and modifiedCount from DatabaseController.update with many: true (#10353) (aea7596)protectedFieldsOwnerExempt: false despite email not in protectedFields (#10284) (4a65d77)regexTimeout default value not applied (#10156) (416cfbc)requestComplexity.batchRequestLimit (#10265) (164ed0d)_GraphQLConfig and _Audience master key bypass via generic class routes (GHSA-7xg7-rqf6-pw6c) (#10151) (1de4e43)instanceof is not realm-safe (#10225) (51efb1e)allowMethodOverride middleware (#10262) (a248e8c)redirectClassNameForKey query parameter (GHSA-6r2j-cxgf-495f) (#10143) (70b7b07)Increment operation on nested object field in PostgreSQL (GHSA-q3vj-96h2-gwvg) (#10161) (8f82282)Increment operation on PostgreSQL (GHSA-gqpp-xgvh-9h7h) (#10165) (169d692)/sessions/me (#10213) (2a9fdab)enableProductPurchaseLegacyApi option to disable legacy IAP validation (#10228) (622ee85)protectedFieldsOwnerExempt option to control _User class owner exemption for protectedFields (#10280) (d5213f8)X-Content-Type-Options: nosniff header and customizable response headers for files via Parse.Cloud.afterFind(Parse.File) (#10158) (28d11a3)requestKeywordDenylist keyword scan bypass through nested object placement (GHSA-q342-9w2p-57fp) (#10123) (4a44247)PagesRouter path traversal allows reading files outside configured pages directory (GHSA-hm3f-q6rw-m6wh) (#10104) (e772543)/loginAs allows readOnlyMasterKey to gain full read and write access as any user (GHSA-79wj-8rqv-jvp5) (#10098) (bc20945)readOnlyMasterKey write restriction (GHSA-xfh7-phr7-gr2x) (#10095) (036365a)beforeFind / afterFind trigger authorization (GHSA-hwx8-q9cg-mqmc) (#10106) (72e7707)__type introspection bypass via inline fragments when public introspection is disabled (GHSA-q5q9-2rhp-33qw) (#10111) (61261a5)$regex query leaks database error details in API response (GHSA-9cp7-3q5w-j92g) (#10101) (9792d24)$regex query in LiveQuery (GHSA-mf3j-86qx-cq5j) (#10118) (5e113c2)Parse.File option maxUploadSize to override the Parse Server option maxUploadSize per file upload (#10093) (3d8807b)mountPlayground for GraphQL development (#10103) (2ae5db1)readOnlyMasterKeyIps to restrict readOnlyMasterKey by IP (#10115) (cbff6b4)Parse.File.setDirectory, setMetadata, setTags with stream-based file upload (#10092) (ca666b0)readOnlyMasterKey invocation of Cloud Function via request.isReadOnly (#10100) (2c48751)readOnlyMasterKey write restriction (GHSA-vc89-5g3r-cmhh) (#10088) (9a3dd4d)PagesRouter header parameters are not URL-encoded to support non-ASCII characters in app name (#10078) (c92660b)Parse.File.setDirectory() with master key to save file in directory (#10076) (17d987c)NODE_ENV=production even with master key (#10071) (a5269f0)pages.enableRouter (#10070) (00b3b72)Parse.Query.select('authData') for _User class doesn't return auth data (#10055) (44a5bb1)Parse.Object update (#10061) (4ef89d9)Parse uses browser build instead of Node build (#10067) (1a2521d)Parse.File.url validation with config fileUpload.allowedFileUrlDomains against SSRF attacks (#10044) (4c9c948)verifyUserEmails, preventLoginWithUnverifiedEmail to identify invoking signup / login action and auth provider (#9963) (ed98c15)Buffer, Readable, ReadableStream (#10065) (f0feb48)databaseOptions.clientMetadata to send custom metadata to database server for logging and debugging (#10017) (756c204)logLevels.signupUsernameTaken to change log level of username already exists sign-up rejection (#9962) (f18f307)Parse.Object in Cloud Function and remove option encodeParseObjectInCloudFunction (#9973) (a2d3dbe)PublicAPIRouter with PagesRouter (#9974) (8f877d4)enableInsecureAuthAdapters defaults to false (#9982) (22d4622)allowPublicExplain defaults to false (#9975) (c1c7e69)7.0.16 (#9971) (7bb548b)20.19.0 (#9970) (633964d)16, PostGIS 3.5 (#9972) (7483add)enableInsecureAuthAdapters default to false (Deprecation DEPPS13). (22d4622)allowPublicExplain default to false (Deprecation DEPPS12). (c1c7e69)PublicAPIRouter with PagesRouter (Deprecation DEPPS11). (8f877d4)Parse.Object in Cloud Function and removes option encodeParseObjectInCloudFunction (Deprecation DEPPS10). (a2d3dbe)16, PostGIS 3.5. (7483add)7.0.16. (7bb548b)masterKey or setting graphQLPublicIntrospection: true. (87c7f07)20.19.0. (633964d)cloudConfig to retrieve and mutation updateCloudConfig to update Cloud Config (#9947) (3ca85cd)GridFSBucketAdapter throws when using some Parse Server specific options in MongoDB database options (#9915) (d3d4003)rateLimit.zone does not use default value ip (#9941) (12beb8f)authData.provider.id are incorrectly transformed to _auth_data_provider.id for custom classes (#9932) (7b9fa18)beforePasswordResetRequest hook (#9906) (94cee5b)logClientEvents (#9914) (b760733)allowPublicExplain to allow Parse.Query.explain without master key (#9890) (4456b02)enableSanitizedErrorResponse to remove detailed error messages from responses sent to clients (#9944) (4752197)serverSelectionTimeoutMS, maxIdleTimeMS, heartbeatFrequencyMS (#9910) (1b661e9)publicServerURL to be set dynamically as asynchronous function (#9803) (460a65c)Parse.Query.include now fetches pointers at same level in parallel (#9861) (dafea21)fileUpload.fileExtensions (#9902) (fa245cb)afterSave trigger for Parse.Role due to name field (#9883) (eb052d8)_email_verify_token for email verification and _perishable_token password reset are not created automatically (#9893) (62dd3c5)Parse.Object update causes inconsistency between validation read and subsequent update write operation (#9859) (f49efaf)databaseOptions.disableIndexFieldValidation (#9880) (1815b01)keepUnknownIndexes to retain indexes which are not specified in schema (#9857) (89fad46)verifyServerUrl to disable server URL verification on server launch (#9881) (b298ccc)u for unicode support in Parse.Query.matches for MongoDB (#9867) (7cb962a)Parse.Cloud.beforeFind without invoking database query (#9770) (0b47407)_JobStatus (#8343) (e98733c)Parse.Cloud.beforeFind(Parse.File)and Parse.Cloud.afterFind(Parse.File) (#8700) (b2beaa8)extendSessionOnUse does not correctly clear memory and functions as a debounce instead of a throttle (#8683) (6258a6a)masterKey to a function (#9582) (6f1d161)databaseOptions keys autoSelectFamily, autoSelectFamilyAttemptTimeout (#9579) (5966068)databaseOptions keys minPoolSize, connectTimeoutMS, socketTimeoutMS (#9522) (91618fe)encodeParseObjectInCloudFunction to true (#9527) (5c5ad69)PublicAPIRouter in favor of PagesRouter (#9526) (7f66629)6.0.19, 7.0.16, 8.0.4 (#9531) (871e508)18.20.4, 20.18.0, 22.12.0 (#9521) (4e151cd)15, PostGIS 3.3 (#9538) (89c9b54)15, PostGIS 3.3 and removes support for Postgres 13, 14, PostGIS 3.1, 3.2. (89c9b54)encodeParseObjectInCloudFunction changes to true; the option has been deprecated and will be removed in a future version. (5c5ad69)6.0.19, 7.0.16, 8.0.4 and removes support for MongoDB 4, 5. (871e508)Parse.Query.distinct fails due to invalid aggregate stage 'hint' (#9295) (5f66c6a)databaseOptions nested keys incorrectly identified as invalid (#9213) (77206d8)maxLogFiles doesn't recognize day duration literals such as 1d to mean 1 day (#9215) (0319cee)Parse.Cloud.beforeSave and Parse.Cloud.afterSave for Parse Config (#9232) (90a1e4a)FilesAdapter.getFileLocation (#9271) (1a2da40)Parse.Cloud.startJob and Parse.Push.send not returning status ID when setting Parse Server option directAccess: true (#8766) (5b0efb2)Required option not handled correctly for special fields (File, GeoPoint, Polygon) on GraphQL API mutations (#8915) (907ad42)notEqualTo is set to null (#8835) (11d3e48)extendSessionOnUse not working for session lengths < 24 hours (#9113) (0a054e6)rateLimit.redisUrl with clusters (#8632) (c277739)silent log level for Cloud Code (#8803) (5f81efb)security.enableCheck to Features Router (#8679) (b07ec15)verifyUserEmails, preventLoginWithUnverifiedEmail set to functions (#8838) (8e7a6b1)beforeFind when using Parse.Query.include (#8765) (7d32d89)masterKeyIps regardless of ACL and CLP (#8957) (a7b5b38)verifyEmail function if both username and email are changed (#8889) (1eb95ae)emailVerifyTokenReuseIfValid: true generates new token on every email verification request (#8885) (0023ce4)fileExtensions default value rejects file extensions that are less than 3 or more than 4 characters long (#8699) (2760381)fileUpload.fileExtensions fails to determine file extension if filename contains multiple dots (#8754) (3d6d50e)Parse.Pointer in the request body (#8784) (66e3603)undefined in email verification link on email change (#8887) (e315c13)$setOnInsert operator to Parse.Server.database.update (#8791) (f630a45)installationId to arguments for verifyUserEmails, preventLoginWithUnverifiedEmail (#8836) (a22dbe1)installationId, ip, resendRequest to arguments passed to verifyUserEmails on verification email request (#8873) (8adcbee)Parse.User as function parameter to Parse Server options verifyUserEmails, preventLoginWithUnverifiedEmail on login (#8850) (972f630)enableCollationCaseComparison, transformEmailToLowercase, transformUsernameToLowercase (#8805) (09fbeeb)beforeLogin and afterLogin (#8724) (a9c34ef)ignoreEmailVerification (#8895) (633a9d2)Parse.Session.current on expired session token instead of throwing error (#8722) (f9dde4a)createdAt and updatedAt during Parse.Object creation with maintenance key (#8696) (77bbfb3)allowClientClassCreation defaults to false (#8849) (29624e0)allowExpiredAuthDataToken defaults to false (#8860) (e29845f)fields option is renamed to keys (#8852) (38983e8)allowClientClassCreation defaults to false. (29624e0)masterKeyIps, even if the request does not require the master key permission, for example for a public object in a public class class. (a7b5b38)auth.<provider>.enabled: true (0cf58eb)allowExpiredAuthDataToken defaults to false; a 3rd party authentication token will be validated every time the user tries to log in and the login will fail if the token has expired; the effect of this change may differ for different authentication adapters, depending on the token lifetime and the token refresh logic of the adapter (e29845f)fields option is renamed to keys (38983e8)Parse.Cloud.beforeDeleteFile' has been changed to Parse.Cloud.beforeDelete(Parse.File, (request) => {})' (4e6a375)Parse.User passed as argument if verifyUserEmails is set to a function is renamed from user to object for consistency with invocations of verifyUserEmails on signup or login; the user object is not a plain JavaScript object anymore but an instance of Parse.User (8adcbee)Parse.Session.current() no longer throws an error if the session token is expired, but instead returns the session token with its expiration date to allow checking its validity (f9dde4a)Parse.Query no longer supports the BSON type code; although this feature was never officially documented, its removal is announced as a breaking change to protect deployments where it might be in use. (3de8494)fileUpload.fileExtensions does not work with an array of extensions (#8688) (6a4a00c)auth option is set (#8666) (4e2000b)verifyUserEmails, sendUserEmailVerification that now accept functions (#8425) (44acd6d)Parse.Server.version to determine current version of Parse Server in Cloud Code (#8670) (a9d376b)afterSave executes even if not set (#8520) (afd0515)enableSchemaHooks settings (#8467) (d4cda4b)handleShutdown is called (#8491) (967700b)extendSessionOnUse (#8562) (fd6a007)extendSessionOnUse to automatically renew Parse Sessions (#8505) (6f885d3)preventSignupWithUnverifiedEmail to prevent returning a user without session token on sign-up with unverified email address (#8451) (82da308)$eq query constraint in LiveQuery (#8614) (656d673)ip, user, session, global (#8508) (03fba97)Parse.Object pointers in Cloud Code arguments (#8490) (28aeda3)beforeFind query trigger; fixes security vulnerability GHSA-fcv6-fg5r-jm9q (be4c7e2)fileUpload.fileExtensions to restrict file upload by file extension; this fixes a security vulnerability in which a phishing attack could be performed using an uploaded HTML file; by default the new option only allows file extensions matching the regex pattern ^[^hH][^tT][^mM][^lL]?$, which excludes HTML files; if your app currently depends on uploading files with HTML file extensions then this may be a breaking change and you could allow HTML file upload by setting the option to ['.*'] (#8538) (a318e7b){} when fetching a Parse Object (#8446) (22d2446)afterFind trigger of authentication adapters (#8458) (ce34747)afterFind trigger to authentication adapters (#8444) (c793bb8)schemaCacheTtl for schema cache pulling as alternative to enableSchemaHooks (#8436) (b3b76de)resetPasswordSuccessOnInvalidEmail to choose success or error response on password reset with invalid email (#7551) (e5d610e)Access-Control-Allow-Origin (#8517) (4f15539)fields option in favor of keys for semantic consistency (#8388) (a49e323)AuthAdapter to make it available for extension with custom authentication adapters (#8443) (40c1961)ParseServer.verifyServerUrl may fail if server response headers are missing; remove unnecessary logging (#8391) (1c37a7c)beforeSave does not work with Parse.Role (#8320) (f29d972)masterKeyIps does not include localhost by default for IPv6 (#8322) (ab82635)masterKeyIps may be circumvented, see GHSA-vm5r-c87r-pf6x (#8372) (892040d)afterLogin, afterLogout crashes server (#8280) (130d290)maintenanceKey; the internal scope contains unofficial and undocumented fields (prefixed with underscore _) which are used internally by Parse Server; you may want to manipulate these fields for out-of-band changes such as data migration or correction tasks; changes within the internal scope of Parse Server may happen at any time without notice or changelog entry, it is therefore recommended to look at the source code of Parse Server to understand the effects of manipulating internal fields before using the key; it is discouraged to use the maintenanceKey for routine operations in a production environment; see access scopes (#8212) (f3bcc93)verifyServerUrl for new asynchronous Parse Server start-up states (#8366) (ffa4974)ParseQuery.watch to trigger LiveQuery only on update of specific fields (#8028) (fc92faa)DEPPS1: Native MongoDB syntax in aggregation pipeline (#8362) (d0d30c4)DEPPS2: Config option directAccess defaults to true (#8284) (f535ee6)DEPPS3: Config option enforcePrivateUsers defaults to true (#8283) (ed499e3)DEPPS4: Remove convenience method for http request Parse.Cloud.httpRequest (#8287) (2d79c08)masterKey to localhost by default (#8281) (6c16021)package-lock.json to version 2 (#8285) (ee72467)masterKeyIps (#8350) (e22b73d)RUN apk --no-cache add git (#8359) (40810b4)_) are only returned using the new maintenanceKey; previously the masterKey allowed reading of internal fields; see access scopes for a comparison of the keys' access permissions (#8212) (f3bcc93)ParseServer.verifyServerUrl now returns a promise instead of a callback. (ffa4974)$match and the MongoDB document ID is referenced using _id instead of objectId (#8362) (d0d30c4)trustProxy accordingly if Parse Server runs behind a proxy server, see the express framework's trust proxy setting (#8372) (892040d)package-lock.json is upgraded to version 2; while it is backwards with version 1 for the npm installer, consider this if you run any non-npm analysis tools that use the lock file (#8285) (ee72467)serverStartComplete; see the Parse Server 6 migration guide for more details (#8232) (99fcf45)Date object was saved as a JSON object like { "__type": "Date", "iso": "2020-01-01T00:00:00.000Z" } instead of its serialized representation 2020-01-01T00:00:00.000Z (#8209) (1412666)enforcePrivateUsers is set to true by default; in previous releases this option defaults to false; this change improves the default security configuration of Parse Server (#8283) (ed499e3)masterKey to localhost by default; if you are using Parse Dashboard on a different server to connect to Parse Server you need to add the IP address of the server that hosts Parse Dashboard to this option (#8281) (6c16021)afterLogin, afterLogout returns a rejected promise; in previous releases it crashed the server if you did not handle the error on the Node.js process level; consider adapting your code if your app currently handles these errors on the Node.js process level with process.on('unhandledRejection', ...) (130d290)directAccess defaults to true; set this to false in environments where multiple Parse Server instances run behind a load balancer and Parse requests within the current Node.js environment should be routed via the load balancer and distributed as HTTP requests among all instances via the serverURL. (f535ee6)Parse.Cloud.httpRequest is removed; use your preferred 3rd party library for making HTTP requests (2d79c08)equalTo with value false (#8032) (7f5a15d)_Idempotency and _Role are not protected in defined schema (#8121) (c16f529)containedIn not working when object field is an array (#8128) (1d9605b)badge doesn't update with Installation beforeSave trigger (#8162) (3c75c2b)Date when directAccess: true (#8167) (e424137)Parse.Query.or, Parse.Query.and not working (#8203) (28f0d26)INVALID_SERVER_ERROR on Postgres (#8157) (3b775a1)Parse.Server (#8244) (9f11115)Parse.Query.limit() constraint (#8152) (0388956)requestKeywordDenylist can be bypassed via Cloud Code Webhooks or Triggers; fixes security vulnerability GHSA-xprv-wvh7-qqqx (#8302) (6728da1)Unexpected Error (#8045) (0d81887)Parse.Cloud.beforeSave(Parse.File, (request) => {}), the old syntax Parse.Cloud.beforeSaveFile((request) => {}) has been deprecated (#7966) (c6dcad8)appIds is set as a string (e.g. abc) instead of an array of strings (e.g. ["abc"]) (GHSA-r657-33vp-gp22) (#8185) (ecf0814)ParseObject.fetch (#7779) (315290d)postgresql protocol in database URI (#7757) (caf4a23)The following changes would formally require a major version increment (Parse Server 6.0), but given their low relevance they are released as part of this minor version increment (Parse Server 5.1).
databaseOptions.enableSchemaHooks: true to enable this feature and keep the schema in sync across all instances. Failing to do so will cause a schema change to not propagate to other instances and re-syncing will only happen when these instances restart. The options enableSingleSchemaCache and schemaCacheTTL have been removed. To use this feature with MongoDB, a replica set cluster with change stream support is required. (Diamond Lewis, SebC) #7214400 and Parse Error 105 (INVALID_KEY_NAME). By default these keywords are: {_bsontype: "Code"}, constructor, __proto__. If you are using any of these keywords in your request data, you can override the default keywords by setting the new Parse Server option requestKeywordDenylist to [] and specify your own keywords as needed. (GHSA-p6h4-93qp-jhcm) (#7843) (971adb5)fileUpload parameter in the Parse Server Options (dblythy, Manuel Trezza) #7071@parse/s3-files-adapter (Manuel Trezza) #7324restricted; the field was a code artifact from a feature that never existed in Open Source Parse Server; if you have been using this field for custom purposes, consider that for new Parse Server installations the field does not exist anymore in the schema, and for existing installations the field default value false will not be set anymore when creating a new session (Manuel Trezza) #7543null. Previously, setting a field value to null would save a null value in the database, which was not according to the GraphQL specs. To delete a file field use file: null, the previous way of using file: { file: null } has become obsolete. (626fad2)/loginAs to create session of any user with master key; allows to impersonate another user. (GormanFletcher) #7406enforcePrivateUsers, which will remove public access by default on new Parse.Users (dblythy) #7319and query with relational query condition returns incorrect results (#7593) (174886e)Parse.Cloud.sendEmail(...) to send email via email adapter in Cloud Code (dblythy) #7089classNames (Nes-si) #7131requireAnyUserRoles and requireAllUserRoles for Parse Cloud validator (dblythy) #7097accountLockout.unlockOnPasswordReset to automatically unlock account on password reset (Manuel Trezza) #7146options to be async (dblythy) #7155Parse.Cloud.httpRequest; it is recommended to use a HTTP library instead. (Daniel Blyth) #7595security vulnerability that allows remote code execution (GHSA-p6h4-93qp-jhcm) (#7841) (886bfd7)
Note that as part of the fix a new security feature scans for sensitive keywords in request data to prevent JavaScript prototype pollution. If such a keyword is found, the request is rejected with HTTP response code 400 and Parse Error 105 (INVALID_KEY_NAME). By default these keywords are: {_bsontype: "Code"}, constructor, __proto__. If you are using any of these keywords in your request data, you can override the default keywords by setting the new Parse Server option requestKeywordDenylist to [] and specify your own keywords as needed.
explain query parameter to avoid a server crash due to MongoDB bug NODE-3463 (Kartal Kaan Bozdogan) GHSA-xqp8-w826-hh6x⚠️ This includes a security fix of the Parse JS SDK where
logInwill default toPOSTinstead ofGETmethod. This may require changes in your deployment before you upgrade to this release, see the Parse JS SDK 3.0.0 release notes.
Versions >4.5.2 and <4.10.0 are skipped.
⚠️ A security incident caused a number of incorrect version tags to be pushed to the Parse Server repository. These version tags linked to a personal fork of a contributor who had write access to the repository. The code to which these tags linked has not been reviewed or approved by Parse Platform. Even though no releases were published with these incorrect versions, it was possible to define a Parse Server dependency that pointed to these version tags, for example if you defined this dependency:
js"parse-server": "[email protected]:parse-community/parse-server.git#4.9.3"We have since deleted the incorrect version tags, but they may still show up if your personal fork on GitHub or locally. We do not know when these tags have been pushed to the Parse Server repository, but we first became aware of this issue on July 21, 2021. We are not aware of any malicious code or concerns related to privacy, security or legality (e.g. proprietary code). However, it has been reported that some functionality does not work as expected and the introduction of security vulnerabilities cannot be ruled out.
You may be also affected if you used the Bitnami image for Parse Server. Bitnami picked up the incorrect version tag
4.9.3and published a new Bitnami image for Parse Server.If you are using any of the affected versions, we urgently recommend to upgrade to version
4.10.0.
authProvider: password of anonymous users. When signing up an anonymous user, the session field createdWith indicates incorrectly that the session has been created using username and password with authProvider: password, instead of an anonymous sign-up with authProvider: anonymous. This fixes the issue by setting the correct authProvider: anonymous for future sign-ups of anonymous users. This fix does not fix incorrect authProvider: password for existing sessions of anonymous users. Consider this if your app logic depends on the authProvider field. (Corey Baker) GHSA-23r4-5mxp-c7g5This version was published by mistake and has been removed.
client_id has been changed to clientId. If using the Apple authentication adapter, this change requires to update the Parse Server configuration accordingly. See #6523 for details.SECURITY RELEASE: see advisory for details
Special Note on Upgrading to Parse Server 4.0.0 and above
In addition to the breaking changes noted above, #5634 introduces a two new case insensitive indexes on the
Usercollection. Special care should be taken when upgrading to this version to ensure that:
The new indexes can be successfully created (see issue #6465 for details on a potential issue for your installation).
Care is taken ensure that there is adequate compute capacity to create the index in the background while still servicing requests.
Special Note on Upgrading to Parse Server 4.0.0 and above
In addition to the breaking changes noted below, #5634 introduces a two new case insensitive indexes on the
Usercollection. Special care should be taken when upgrading to this version to ensure that:
The new indexes can be successfully created (see issue #6465 for details on a potential issue for your installation).
Care is taken ensure that there is adequate compute capacity to create the index in the background while still servicing requests.
afterLogin cloud code hook #6387. Thanks to David CoronaretryWrites=false to your connection string in order to upgrade to Parse Server 3.8.Fix: Commit changes
Fix: Use changes in master to travis configuration to enable pushing to npm and gh_pages. See diff for details.
Fix: In my haste to get a Security Fix out, I added 8709daf to master instead of to 3.4.1. This commit fixes that. Arthur Cinader
Security Fix: see Advisory: GHSA-2479-qvv7-47q for details 8709daf. Big thanks to: Benjamin Simonsson for identifying the issue and promptly bringing it to the Parse Community's attention and also big thanks to the indefatigable Diamond Lewis for crafting a failing test and then a solution within an hour of the report.
parse-server 3.0.0 comes with brand new handlers for cloud code. It now fully supports promises and async / await.
For more informations, visit the v3.0.0 migration guide.
{"pipeline": [...]} (REST Only)beforeSave and afterSave affecting the same object.select (see #571)_User now follow regular ACL policy. Letting administrator lock user out. (#4860) and (#4898)Ensure all the files are properly exported to the final package.
arrayMatches the #4762 (#4766), thanks to Jérémy Piednoel:warning: Fixes a security issue affecting Class Level Permissions
:warning: This version contains an issue affecting Class Level Permissions on mongoDB. Please upgrade to 2.7.1.
Starting parse-server 2.7.0, the minimun nodejs version is 6.11.4, please update your engines before updating parse-server
handleShutdown() feature to close database connections (#4361), thanks to CHANG, TZU-YENParseServer.start(options), thanks to Florent Vilmart$in and $nin now supports list of objectId's, thanks to Florent Vilmart$in and $nin for pointer fields work as expected thanks to Florent Vilmart_PushStatus with misconfigured serverURL, thanks to Florent Vilmartnull in containsAll queries, thanks to Diamond Lewis$withinPolygon queries (#3889), thanks to Diamond LewisisGet for get queries (#3862), thanks to davimacedoStarting 2.4.0, parse-server is tested against node 6.10 and 7.10, mongodb 3.2 and 3.4. If you experience issues with older versions, please open a issue.
count Class Level Permission (#3814), thanks to Florent Vilmartscheduled Push Notifications with push_time (#3717, #3722), thanks to Felipe Andrade$near operators in $or queries (#3767, #3798), thanks to Jack Weardenflushdb instead of flushall in RedisCacheAdapter
(#3523), thanks to Jeremy Louie_GlobalConfig (Make sure we don't treat
dot notation keys as topLevel atoms)
(#3531), thanks to Florent VilmartA major issue was introduced when refactoring the authentication modules. This release addresses only that issue.
auth: { facebook: { appIds: ["AAAAAAAAA" ] } }email field is not returned anymore for Parse.User queries. (Provided only on the user itself if provided)._User responses, strips emails by default, thanks to Arthur Cinaderhost parameter when creating parse-server from CLI, thanks to Kulshekhar KabramatchesKeyInQuery with pointers.select keys can be changed in triggers (beforeFind...), thanks to Arthur CinaderPostgres support requires v9.5
_SCHEMA table (#2912), thanks to Steven Shiptonselect and include, thanks to Florent VilmartnotEqualTo, thanks to Jeremy Louie_Installation objects, thanks to Florent VilmartbeforeFind, thanks to Florent VilmartParsePlatform/parse-server#latest, thanks to Florent Vilmart_acl is properly updated, thanks to Steven ShiptonOther fixes by Mathias Rangel Wulff
pm2 from crashing when push notifications fail, thanks to benishaksuccess, thanks to Madhav BhagatParse.Objects