Backendless Support
 
Solved

v4 and sendEmail from BL

in v3 I had disabled permissions for auth/nonauth users to send email, and enabled for serverCodeUser and it was fine - BL script sent emails while client users wasn't been able to abuse and send email.

Now after migration I'm receiving error "User has no permission to send email" when BL script tries to send email. Turns out I need to enable "send email" for authenticated user in order for BL send email to work. But I don't want authenticated users to have this permission, I only need it to work from server side.

Leave a Comment

Comments (17)

photo
1

Hello, what is your v4 application id?

photo
1

it's "1B92F985-D9EF-9689-FFAC-C7E5FE5F2A00"

photo
photo
1

The behavior on 3.X was the same

if you make a call from BL as nonauth user then will be used restrictions only for ServerCodeUser role.

if you make a call from BL as auth user then will be used restrictions as usual.

photo
1

No, current behavior is not the same. Although now, after I tried few repeated tests I see that sometimes it's actually works. But it's unpredictable - sometime it run fine, and sometime it gave this error. You can check my log (for 5 minutes ago events):

INFO | myCustomEvent, context: {...}

INFO | error User has no permission to send email

ERROR | [7281] Error: [object Object]

INFO | [7281] Processing finished

INFO | [7797] [0E3313DC-2118-F3FD-FFA5-08077418A400] [INVOKE HANDLER] custom.myCustomEvent

INFO | [7797] Building ServerCode Model for path (/var/lib/backendless/repo/1b92f985-d9ef-9689-ffac-c7e5fe5f2a00/files/servercode/JS/default/PRODUCTION)

INFO | [7797] ServerCode Model built in 2ms

INFO | myCustomEvent, context: {...}

INFO | message has been sent

INFO | [7797] Processing finished

INFO | [8848] [3375EEC7-96FF-B591-FFA7-6DE380E38500] [INVOKE HANDLER] custom.myCustomEvent

INFO | [8848] Building ServerCode Model for path (/var/lib/backendless/repo/1b92f985-d9ef-9689-ffac-c7e5fe5f2a00/files/servercode/JS/default/PRODUCTION)

INFO | [8848] ServerCode Model built in 2ms

INFO | myCustomEvent, context: {...}

INFO | message has been sent

INFO | [8848] Processing finished

INFO | [9372] [8982B2C2-7CBB-C866-FF95-A3829E3F6400] [INVOKE HANDLER] custom.myCustomEvent

INFO | [9372] Building ServerCode Model for path (/var/lib/backendless/repo/1b92f985-d9ef-9689-ffac-c7e5fe5f2a00/files/servercode/JS/default/PRODUCTION)

INFO | [9372] ServerCode Model built in 2ms

INFO | myCustomEvent, context: {...}

INFO | message has been sent

INFO | [9372] Processing finished

INFO | [10408] [DD6EE18A-B822-366F-FF2C-430CD0648F00] [INVOKE HANDLER] custom.myCustomEvent

INFO | [10408] Building ServerCode Model for path (/var/lib/backendless/repo/1b92f985-d9ef-9689-ffac-c7e5fe5f2a00/files/servercode/JS/default/PRODUCTION)

INFO | [10408] ServerCode Model built in 2ms

INFO | myCustomEvent, context: {...}

INFO | message has been sent

INFO | [10408] Processing finished

INFO | [10921] [13C613BC-CD13-4592-FF5D-11B9E9579D00] [INVOKE HANDLER] custom.myCustomEvent

INFO | [10921] Building ServerCode Model for path (/var/lib/backendless/repo/1b92f985-d9ef-9689-ffac-c7e5fe5f2a00/files/servercode/JS/default/PRODUCTION)

INFO | [10921] ServerCode Model built in 2ms

INFO | myCustomEvent, context: {...}

INFO | error User has no permission to send email

ERROR | [10921] Error: [object Object]

photo
photo
1

it is the same.

I think that in some cases your BL logic calls as auth user, and other as nonauth.

Nevertheless, now we have discussion, to change this policy and make BL logic to call only as ServercodeUser role.

photo
1

My words about different behavior is not regarding theory, but about how it's working now in my code. Changed behavior meant that I have different results, not same as was in 3.x, that's it.So, how long until this "only as ServercodeUser role" change? days, weeks?

photo
1

This is not my opinion or theory, it is the fact, that behavior is the same as in 3.X.

photo
1

Oh, I didn't knew that, turns out it is the fact!

And what should I then call my observation: after migration same code with same settings give different result. I guess, I can't call it fact? Maybe it's my wild imagination then

photo
photo
1

please provide a video that demonstrates the difference between 3.X and 4 versions.

photo
photo
1

In Backendless 3.X case you are not logged in as a user, in Backendless 4 you are logged in as some user.

Here it is the similar example with a 3.X http://take.ms/ol>

photo
1

and why do you think that in 3.X I'm not logged? Do you want another video where I'm logging in first? Or you mean log-in command in Business Logic? In that case what is changed in backend behavior?

btw, your link is broken

photo
photo
1

Sorry, for the broken link, try this one https://monosnap.com/file/XN8UfCsPTwCzFlVhLaFqQt6dUVCSyF

photo
1

Thank you for spending your time and recording this, but it is not in any way related to the problem I have.

It's somewhat related, but proves nothing in my case - I described problem with "send email" permission and sending email from javascript custom event. Which worked in certain way in v3 and works in other way in v4, if you want to prove me wrong, please provide relevant sample.

photo
photo
1

I made the same scenario with JS custom event, and you are right. But it works in Backendless 3.X because of bug, coderunner for JS do not send user-token header to the server, and server think that it is nonauth user. We have fixed it in Backendless 4. We can not fix it in 3.X because it will break some logic for our customers.

As a solution, you may use next code before call to the server:

  1. Backendless.LocalCache.remove('user-token')

photo
1

I see. Yes with mentioned code it's working with same permissions (disabled for Auth and NotAuth, enabled for Server). But I can't fully understand what's happening in code.

Is it:

originally my code (in custom event) have AuthenticatedUser and ServerCodeUser roles and "disabled" sendEmail for authenticated user overrides "enabled" sendEmail for ServerCodeUser.

Then, in code with Backendless.LocalCache.remove('user-token') I'm making next commands run with NotAuthenticatedUser (and still ServerCodeUser). But why in this case permission for NotAuthenticatedUser (disbled sending) not overrides ServerCodeUser as was with AuthenticatedUser?

I read https://backendless.com/docs/js/doc.html#users_user_roles but didn't find how to apply there.

Also with yours "Nevertheless, now we have discussion, to change this policy and make BL logic to call only as ServercodeUser role" - when will it be turned on and what it will affect?

photo
1

>>Is it:

Yes, it is.

>>But why in this case permission for NotAuthenticatedUser (disbled sending) not overrides ServerCodeUser as was with AuthenticatedUser?

because if you make requests from business logic as nonauth user there are will be only one role ServerCodeUser. But if you make requests as logged in user there are will be all roles as usual.

>>Also with yours "Nevertheless, now we have discussion, to change this policy and make BL logic to call only as ServercodeUser role" - when will it be turned on and what it will affect?

we have decided do not change anything. Current behavior more appropriate.