parse-server: $relatedTo now enforces authorization checks
The `$relatedTo` operator in relation queries now enforces authorization checks: the owning object must be readable by the caller under its ACL, class-level permissions, and pointer permissions, and the relation key must not be protected by `protectedFields`.
What changed
The `$relatedTo` operator in relation queries now enforces authorization checks: the owning object must be readable by the caller under its ACL, class-level permissions, and pointer permissions, and the relation key must not be protected by `protectedFields`. Previously, `$relatedTo` could read relation membership even when the field was hidden or the object was not readable.
Who it affects
Applications using parse-server that rely on `protectedFields` or object ACLs to keep `Relation` membership confidential, such as private group memberships, block lists, or account-to-resource associations.
What to do today
Upgrade parse-server to a patched version to prevent unauthorized enumeration of relation memberships via `$relatedTo`.