How to retrieve objects not with all fields

timur-khasanov · August 17, 2017, 12:27pm

For example, if I have a simple model:
User: login(String), email(String), password(String)
If I send a GET request, I’d get only login and email.
But I want this: if I send a GET request, I would get only login field. In other words, how I can hide email field and get it if only that authenticated user send a request

stanislaw.grin · August 17, 2017, 12:38pm

You can use props parameter for this, which is references object properties which should be returned with every object. For example, objects in the result GET https://api.backendless.com/<application-id>/<REST-api-key>/data/Users?props=login,email will contain only the “login” and “email” properties, or leave just login if non-authenticated user send request.

Regards,
Stanislaw

timur-khasanov · August 17, 2017, 12:51pm

Ok, but it’s all about security. After reverse-engeering anyone can send another GET request and get an email.

mark-piller · August 17, 2017, 12:57pm

You are absolutely, correct, it is all about security. For this very reason, we provide a mechanism where you can restrict access to your data, users, files, etc by applying a security policy. You can restrict access to specific roles (built in or custom). Please see the documentation for more info:

https://backendless.com/docs/rest/doc.html#data_security

timur-khasanov · August 17, 2017, 1:08pm

Sorry, but my english skills don’t allow me to find the correct paragraph of this article.
By what mechanism I can restrict access not for all DB, but only for 1 field

mark-piller · August 17, 2017, 1:15pm

You can restrict access to a specific field using custom business logic. Here’s an example of how to do it using our new Codeless feature: https://youtu.be/Q4qVxrJyi38