How secure is the Parse PFUser.current() object?

Question

I have a question about Parse security and hope someone can give me some pointers and suggestions.

I am working on a game where users can accumulate a game resource called gold.

To keep track of how much gold each user has, I have a Parse class called Resource. This class is public readable (thru get, not find) but not public writable.

The User class and the Resource class are linked both ways in that: each object in the User class has a property called resourceId, which is the objectId of the Resource object that belongs to the user. Therefore, players can read (thru get) his own resource as well as those of his friends; and each object in the Resource class has a pointer that points to a user in the User class

In the game, a user can spin a prize wheel to get gold prizes. When the user spins the wheel, the client calls a cloud code function and pass on a single argument, which is the PFUser.current() object.

The cloud code generates a random number to determines the prize, and then write the prize to the Resource class. To determine which Resource object to write to, the cloud code does 2 things: (1) it reads the resourceId from the argument (PFUser.current()), and (2) using that resourceId, it gets the relevant Resource object, then checks to see if the user-pointer points to the same User object as the argument itself (again, PFUser.current()).

So my question is, is my setup secure against someone trying to spin the prize wheel of another user? Can a compromised client device modifies the PFUser.current() object and pretend to be another user? Are there better ways to achieve what I want to do?

Answer 1

Use this:

Parse.Cloud.define("myFunction", function (request, response) {

var senderUser = request.user;

//your code

});

It's definitely better way than passing PFUser.current() as an argument - it works with the Parse SDK internally, which means it should be harder to fake it than the argument.