Allow access to user data

Tony_Goodchild · March 15, 2022, 2:01pm

I have data tables set so that the Javascript authenticated user can only access their own item.

Is there a way to set permissions so that another specific user is able to access a users objects?
For example User X has a number of objects in Table A. User X wants to grant permissions for User Y to access their objects in Table A.

I can do this by setting permissions in the data and creating a PHP layer in between that manages the permissions but don’t really want to do this.

Dima · March 15, 2022, 4:05pm

Hello @Tony_Goodchild

Could you read about Object ACL - here, and tell me if this information answers your question.

Also, if you are interested in a way how to implement it, you may say what type of SDK do you use, and I will find additional information for you.

Regards, Dima.

Tony_Goodchild · March 15, 2022, 4:13pm

Hi @Dima

Thanks for your reply. I had read that before and I don’t think it covers what I need.
Instead of defining roles and setting the access permissions for the role, I need it to be covered for another user.

As an example, think of a social network application.
A user could create a number of objects that represented their posts but only that user (the owner) would have access to them.
If that owner user added a friend, then the friend user would need to have permissions to view the post objects created by the owner user.

Although my app isn’t a social network I need to be able to give users access to read objects created by other specific users in this manner.

I am using the JS SDK currently.

Tony_Goodchild · March 15, 2022, 4:16pm

As a workaround I could open up access permissions to all authenticated users to read, and then add relations to identify who could read them and use a WHERE query to bring back objects only with that relation. But this seems much like a much less secure way to manage it.

Dima · March 15, 2022, 10:05pm

Roles are the third layer. But I told you about first - Object ACL.

As for your example, that looks for me like this:

we deny access for all users except creator by default
we grant permissions to creator friends using Object ACL

Documentation for JS - Permissions API - Backendless SDK for JavaScript API Documentation

If I misunderstood you again, please let me know. I will invite to this conversation my colleague with better expertise in this question.

Regards, Dima

Tony_Goodchild · March 28, 2022, 6:25pm

Thanks Dima, I found the answer in your link.