Make requests from cloud code function as requesting user

[JeremyPlease]

• You've met the prerequisites: https://github.com/ParsePlatform/parse-server/wiki/Parse-Server-Guide#prerequisites.
• You're running the latest version of Parse Server: https://github.com/ParsePlatform/parse-server/releases
• You've searched through existing issues: https://github.com/ParsePlatform/Parse-Server/issues?utf8=%E2%9C%93&q=is%3Aissue Chances are that your issue has been reported or resolved before.

Environment Setup

• Server: v2.2.9, OSX, local
• Database: mongodb 3, local

Steps to reproduce

1. Create a class with CLP that only allows one role to create.
2. Create a user and add to said role.
3. Run cloud function that creates an object on the class.
4. Get an error of {code: 119, message: "Permission denied for this action."}

If I use .save(null, { sessionToken: req.user.getSessionToken() }) then the save works, however I would like all saves and queries in cloud code functions to use the requesting users session.

---

A quick work around I've implemented is to override the Parse.Cloud.define function like so:
EDIT: Don't do this. It's bad. Technically this overrides the global Parse JS SDK REST request function on every cloud request. If multiple requests come in at the same time and then handle other requests in promises, the most recent session token will be used on all requests

var originalDefine = Parse.Cloud.define;

Parse.Cloud.define = function(name, originalFunction) {
  var newFunction = _generateFunction(name, originalFunction);
  originalDefine.apply(this, [name, newFunction]);
}

function _generateFunction(name, originalCloudFunction) {
  var newFunction = function(request, response) {
    // Override Parse RESTController request to set token
    var token = request.user.getSessionToken();
    var RESTController = Parse.CoreManager.getRESTController();
    var originalRequest = RESTController.request;
    RESTController.request = function() {
      var options = arguments[3] || {};
      options.sessionToken = token;
      return originalRequest.apply(this, arguments);
    }
    return originalCloudFunction.apply(this, arguments);
  };
  return newFunction;
}

[mbilling]

This is the way that cloud function should have been implemented. But it's documented that you should set sessionToken on all calls to api. See https://github.com/ParsePlatform/parse-server/wiki/Compatibility-with-Hosted-Parse

You should request a pull. I'm sure that it would get accepted. Since it matches how the whole parse.com documentation is written

[JeremyPlease]

@mbilling I spent some time looking into this and I've determined there's no viable way to automatically use the requesting user's sessionToken in all requests made from a cloud function.

The cloud functions in the open source Parse Server use a global Parse object (which is the Parse JS SDK) for requests (creates, reads, updates, and deletes). Therefore, if you set a current sessionToken or current user on the JS SDK, then all subsequent or concurrent requests will be made with the most recently set sessionToken.

The only solution to this issue is to include the options { sessionToken: req.user.getSessionToken() } on any and all requests in cloud code that should be made as the requesting user.