Backendless Support
 
Waiting for user's response

Access control to files uploaded

Hello

I asked a generic question before about permissions and access control, I read the files security but I am having hard time figuring out what I need to do/understand it.

Bascially, in the consol I created a root folder called Documents.

Now every user is able to run my application and drop "their own" files. Once they upload a file, the application creates the following path/file:

Documents/userId/filexyz.txt

The user should be able to access the userId folder and contents (since it is his files). However, another user wouldn't be able to access the files. I basically don't want someone to put the full path into the browser and view document of another user.

Please note that the userId folder is created on the spot upon the first upload so this folder does not exist before.

I tried to go to consol and go to "Documents" Role permission, and I unchecked the "notAuthenticatedUser" ( I am sure it is not as simple as that). The good thing is that the path is no longer access by simply putting in browser. But also the user is not able to upload files at all to Documents using the application.

So what is the solution to what I am trying to achieve? I hope I was able to explain the problem

Thanks a lot

Leave a Comment

Comments (7)

photo
1

After playing a lot with API, I think I am getting the hang of it. I just not sure if I am doing it the "right way".

Like I said, basically I want user to have access "only" to the files he uploaded. All users upload their files under root Documents folder.

What I did is that in the consol, I set the Documents folder to be X for the notAuthenticatedUser. It has check mark for the authenticatedUser

Then when User A creates a file test.txt under Documents. I make 2 calls to the FilePermission api on this file.

The first call, is deny the Read access to all users

The second call, is I grant Read Access to user A

This seems to work. Except that if a new user is created in the database then by default it has access to the file!

What should be done here? I am looking for something like "owner policy" but for files

photo
1

Hi

Unfortunately there is no owner policy for files, perhaps we'll consider it in further releases. Regarding the access to files model you've proposed - it's ok. You may deny access to everyone and to grant to the specific user for each folder. Wasn't that the primary goal?

Best Regards

photo
1

Alright as long as there is work around.

However with what I proposed, I find this main issue :

If a new user is created then this new user has access to all the files that other users have by default. Basically this new user didn't exist when the access was denied to all users programmatically before.

photo
1

Use role-based permissions. Restrict access to files/directories for specific roles. When a new user is created, run a business logic event to assign a role to the user.

photo
1

But the directories/files are meant to be accessed only by the user who created them. Using roles, will give a blanket access or deny to all users in that role to certain folders which is not what I am trying to achieve

photo
1

Them do not use roles. Instead, when a file is uploaded, run a business logic event handler to:

  1. deny access to the file to the AuthenticatedUser and NotAuthenticatedUser roles
  2. grant access to the user who uploaded file.

photo
photo
1

Ohhhhh I see. Nice!

I was doing what you suggested but I was denying access to all "existsing" users. I guess denying the access to all auth and non auth users but adding access to specific user is an interesting idea which includes future users. I will try that

Thanks a lot!!!