Are you looking for help?
This is a support forum for reporting issues related to Backendless services. Please note that due to our support policy we cannot provide you help with debugging your code, consulting in regards to any language or third-party library usage. For this kind of questions we recommend using more appropriate forums like Stack Overflow.
In order to suggest you a quality solution, we shall usually ask you to provide the details mentioned below first. Including them into your topic right away helps us to start investigating your issue much faster.
In case you have a suggestion or an idea, the details below are not always required, though still any additional background is welcome.
Backendless Version (3.x / 5.x, Online / Managed / Pro )
Online
Client SDK (REST / Android / Objective-C / Swift / JS )
curl
Application ID
86DF97EF-A838-427E-A069-5F4DC2B95285
Expected Behavior
Please describe the expected behavior of the issue, starting from the first action.
- Execute data search with a ‘where’ clause using API key credentials with proper permissions to a table
- Search returns expected rows
Actual Behavior
- curl -G --data-urlencode “where=kitid=‘IAC0DEMO08’” --data-urlencode “loadRelations=sku,sku.partner” “https://api.backendless.com/$BACKENDLESS_APP_ID/$BACKENDLESS_API_KEY/data/KitIDs”
- {“code”:1053,“message”:“Access to ‘kitid’ is not allowed”,“errorData”:{}}
When using the CloudCode API key, this call works.
Reproducible Test Case
See above
Hi Christopher,
Could you please let me know what specific API key you use when the error is returned?
Regards,
Mark
orderlessactivation API key, ending in 82CEB8
I believe it doesn’t work because the NotAuthenticatedUser role denies access to the kitid column in the COLUMN VISIBILITY section of the PERMISSIONS tab. Have you tried running the same request with an authenticated user?
Maybe I’m missing something - I thought the calls made with the API key would have the orderlessactivationRole, not NotAuthenticatedUser?
Every invocation will have NotAuthenticatedUser or AuthenticatedUser roles assigned in addition to any custom roles associated with the user (if the user is logged in).
The orderlessactivationRole is linked to an API key and is treated as a global system role, just like NotAuthenticatedUser. As a result, when one of them denies the request (since they are the same level), the request is rejected.
Take a look at the layers described here. Both roles are sitting at layer 7 in your case:
Hope this helps.
Mark
Ok I think I understand. So for backend API calls, we should be creating a user and assigning it the appropriate role(s)? Or is there another way to make authenticated calls with only an API key?
If this logic is executed only by the backend logic (for instance a timer, or an API service that is called internally), it is OK to rely on the ServerCodeUser role/key, it is the only key that has elevated permissions. For instance, with the following configuration for my table, I can still get data:
Got it, thank you for clarifying Mark. Just so I am sure I understand, if we are calling the Backendless APIs from a backend service outside of Backendless, our only options are to either use the CloudCode API key, or to make an actual User and get a token for that backend service to use?
That’s not the only option. Alternatively, you can create an API service within Backendless that would be responsible for the data search operation. Your outside service can invoke the API service in Backendless. The benefit of this approach is you can consolidate any relevant business (or security) logic within the service.
Regards,
Mark
