How do you set security settings so only the owner of the object have permission to read it?
But if I want to share the information then? Can you grant access to non-owner on a specific object?
Take a look at 9 layers of security checks here:
http://backendless.com/documentation/data/js/data_security.htm
Specifically, we have the following:
- ObjectACL for the user who makes the call
ObjectACL for user-defined roles assigned to the user who makes the call.
Table permissions for the User account
Table permissions for the user-defined roles
Owner Policy
ObjectACL for system roles
Table permissions for system-level roles
Global user-defined roles
Global system roles
If an objects should be visible to others (non-owners), then you could create a role and grant Read permission to the role in ObjectACL (that will be (2) in the list above). Do you know how to do that?
I tried setting permissions for all types of roles to X (no access) and then adding Owner policy to Granted on my table. I figured that would mean that I would be able to access my own rows in the table but all I get then is:
FAULT = ‘1013’ [User has no permission to find elements in persistence storage.] <User has no permission to find elements in persistence storage.>
As for the 2nd part; no I can’t say I do. I will want to be able to share rows to specific users in the future (and that will include both read/write access). Is this not possible? I know I could do it if I just granted full access to everyone and then filtered the responses but then I guess I would be vulnerable to anyone spoofing my queries that could get any information out as long as they have an authenticated user?
Am I unclear…I am having problem putting this in backendless terms I think
- Make sure that ownerId is not empty (select table -> column “ownerId”)
OwnerId = objectId of user-owner. - Make sure, You send request as authenticated user-owner (with user token)
for second part:
there are several ways:
- add custom role (Users page -> security and restrictions tab -> add role);
- go to Users table in data
- select with a check box users You need
- click on “User roles” button
- select check box in “Assignment” and save
- select table -> go to “Table schema and permissions”
- in “Roles permissions” grant access for this role
All users with this role will have access to Your data.
or
- select table -> go to “Table schema and permissions”
- in “Users permissions” -> find users from Users table
- select them and add to the list
- grant “Find”, “Update”…
Also, You can modify permissions on the acl level (for selected row in data table).
As far as I can see this is correct. This is the users:
http://support.backendless.com/public/g2ON4lZxnhYF8bOgpk8p.png</img>
This is the table I want to query:http://support.backendless.com/public/cH8mLpiySv4KXRXsuSdm.png</img>
It’s as if when the query hit the denied role permission it doesn’t check the owner policy?
You do say: “with user token” but that is seamless is it not? I don’t add any tokens but I am logged in as newly created rows do get the correct ownerId.
For second part it is more complicated than this. Let’s say I have 1000 users and user #1 wants to share his one of his rows with user #444, another with user #441 etc. We are talking hundreds (thousands) of combinations and I guess what I want to do is give a specific user access on a specific object. But I guess I can do that through the ACL on a row in the data table. I hope you can do this kind of thing through the API too?
“I hope you can do this kind of thing through the API too?”
This is an example for REST:
For role:
(use DENY or GRANT)
curl -X PUT -d’{“permission”: “FIND” ,“role”:“Role_name” }’ -v http://api.backendless.com/v1/data/table_name/permissions/DENY/object_id
For all roles “":
curl -X PUT -d’{“permission”: “FIND” ,“role”:"” }’ -v http://api.backendless.com/v1/data/table_name/permissions/GRANT/object_id
For users:
curl -X PUT -d’{“permission”: “FIND” ,“user”:“object_id_of_user” }’ -v http://api.backendless.com/v1/data/table_name/permissions/DENY/object_id
For all users:
curl -X PUT -d’{“permission”: “FIND” ,“user”:"*" }’ -v http://api.backendless.com/v1/data/table_name/permissions/DENY/object_id
Okay, I am using the iOS SDK but is it possible with REST I’ll assume it will be possible in iOS too.
However, no matter the above I still can’t use find when the roles have no permissions for find
I can answer You later about this problem.
Please, check this case again. Your owner should have opportunity to find data.
I tried again. Logged in and did a find. The find still returns:
FAULT = ‘1013’ [User has no permission to find elements in persistence storage.] <User has no permission to find elements in persistence storage.>
- Do you have custom roles?
And assigned roles to this user? - Can you check how this permissions work with REST?
There are steps: - Login user
curl -H application-id:-- -H secret-key:-- -H application-type:REST -H Content-Type:application/json -X POST -d’{“password”:“123”, “login”:"your_user@email.com"}’ -v http://api.backendless.com/v1/users/login
2. Copy user-token from response
3. Add user-token in find request:
curl -H application-id:-- -H secret-key:-- -H user-token:7610D259-77C3-BC1E-FF5B-0C8671D53F00 -H application-type:REST -H Content-Type:application/json-X GET -v http://api.backendless.com/v1/data/your_table_name/object_id_of_data_object
Hello,
Yes query for an object I know the objectId of works with REST. If I drop the object_id_of_data_object part I do get the same result though:
{“message”:“User has no permission to find elements in persistence storage.”,“code”:1013}* Closing connection #0
So it doesn’t allow me to query the whole table and just get the objects I do have access too… any more ideas? Is it a bug?
Can I check it by myself? Please send me app id of this application and table name.
Send this info via email:
kateryna.maksimenko@gmail.com
Apparently I did some mistake with the REST call. It does work.
Looking at it further I’ve noticed that it is the whereClause that is causing the issue.
Adding a whereClause (any clause) causes the security error. Removing the clause returns the appropriate rows in the table (but all rows, not just the newly updated ones which I try to get with the whereClause).
Any further hints?
Deny “Read” access to the AuthenticatedUser role,
Grant “Read” access in Owner Policy.