Hosted scripts & file permissions question

I am trying to do something with hosted scripts that I cannot get working and want to be sure it is possible or figure out what I am doing wrong. I have a couple scripts that upload content to the database for my app and want to have them available from a web page so I can execute them from there. Since these scripts upload content to the app DB I want them to be secure and not just anyone access them with the public URL.

So I have set permissions on the admin script so that only one user has read and write permissions on the script. On the web page I have built the admin user enters their username & password, clicks a login button, and I call the login function which logs the admin user in successfully. Then I have another button on the same page to execute a the admin script file which has the permissions set on it. But when I try to run the second script even though I have logged the user in I receive the error {“message”:“User has no permissions to specified resource”,“code”:4000}.

Should this work? I am basically looking for a way to be able to run some admin hosted scripts but only have an authenticated admin user be able to execute the scripts.

Could you clarify (perhaps by posting a screenshot) how you secured your “admin-only” script?

I have attached screenshots of the user & role settings for the admin script. Basically I have granted the specific user Read & Write permissions and for roles for both authenticated and non-authenticated users disabled all permissions.

When you invoke the script from your webpage (after you authenticate the user), do you pass the “user-token” HTTP header? The value for that header is returned from the login API call.

No I’m not doing this. I am calling the login API with stayloggedin = true so I thought this would work.
When I look at the success response for login I don’t see a user token, here is what I am returned in the login response, is the token in here?

{“lastLogin”:1436304816970,“created”:1435022682000,“email”:“gjmcshea@gmail.com”,“updated”:1436300716000,“objectId”:“451FD07F-E5CC-D305-FF71-CE5F9392C200”,“ownerId”:null,“name”:“Greg McShea”,"__meta":"{“relationRemovalIds”:{},“selectedProperties”:[“created”,“email”,“updated”,“objectId”,“ownerId”,“name”,"__updated__meta","___class",“password”],“relatedObjects”:{}}","___class":“Users”}

I also just tried assigning a variable to the login call result like below:
var userToken = Backendless.UserService.login( userName, password, false, async );

But when I do this the value I get for userToken is just “true”

I have ready through the docs and kept experimenting but I do not see how to get the actual token value to be used in the http header, I methods to check for the existence of the token but not how to get the token value. And as mentioned above if I assign a variable to the result of the login method it always just returns “true”. Please advise how I can get the actual token.

Hi, Greg,

Thank you for reporting this bug. It will be fixed soon in the next release and we’ll notify you in this thread.

Regards,
Sergey

Hi Sergey, thanks for the update. What are we talking about in terms of timing for the next release, days, weeks, months? Also when the issue is fixed is it expected that the token value will come from the login call response or returned from the login function?

Greg,

It should take about a week or less. Once the issue is fixed on the server side, you’ll still need to do the following:

    Login a user Retrieve user token using the following call: var userToken = Backendless.LocalCache.get("user-token"); Add the "user-token" http header with the userToken value from above to the request sent to the .js script.
Regards, Mark

Hi, has this been fixed?

Hi! Server update planned on the next week. We will notify you when it will be ready.
Regards,
Kate.

Hi, Greg,

The new production server version has been released, so you can now test your script.

Please, feel free to inform us if you run into any issue again.

Regards,
Sergey

Hi, I am still not able to get this working. I am trying to get the userToken as described by Mark in his step #2 above. Here is the code in my login.js file. I always get an empty string for the user token:

var Backendless = require( ‘…/libs/backendless.js’ );

exports.run = function( request, response )
{
Backendless.initApp( “B75DC8E3-A4F2-255C-FF29-BE5B2377B400”, “2919B8AD-347C-EDA4-FFAE-42AEDBF85800”, “v1” );

var jsonBody = JSON.parse( request.body );


var userName = jsonBody.userName;
var password = jsonBody.password;

var async = new Backendless.Async(
function( success )
{
    //response.send( success );
},
function( failure )
{
    //response.send( failure );
});

Backendless.UserService.login( userName, password, true, async );
var userToken = Backendless.LocalCache.get("user-token");
response.send(userToken);

}

Any update on this, do I need to start a new topic?

Hi Greg!

  1. As I understand permissions issue already solved?
  2. “…do I need to start a new topic?” yes, please start new topic with user token issue.
    Regards,
    Kate.

Hi Kate, according to Mark’s comment above in #3 he mentions that the user token is required to test the permissions access. So I getting the user token is not working for me and without this I cannot try the file permission access.

The following steps apply to your use case:

on your client app you login user and get it’s token (for this purpose you can use JS SDK methods or REST). This logic should be on your client side, not in hosting scripts. Hosting scripts work without browser local cache (which is used in methods like Backendless.LocalCache.get(“user-token”)).

For testing you can user rest requests:
Login user:

curl -H application-id:XXX -H secret-key:XXX -H Content-Type:application/json -X POST [url=https://api.backendless.com/v1/users/login]https://api.backendless.com/v1/users/login[/url] -d '{"login":"foo@foo.com", "password":"123"}' 

Get user token from server response:

"user-token":"XXXXX"

Run GET request with user-token header (as admin user):

curl -H user-token:XXXX -H application-id:XXX -H secret-key:XXX -H Content-Type:application/json -X GET [url=https://api.backendless.com/XXX/v1/files/web/scripts/test.js]https://api.backendless.com/XXX/v1/files/web/scripts/test.js[/url]

Regards,
Kate.