Currently I am interested in implementing SMS authentication using Backendless and Twilio for my latest project. I was trying to achieve it using the server code. I managed to send a sms in the PHP custom events using Twilio. Now, I am trying to alter some data from the user table. According to the documentation, I will need to log in before I can alter the user properties using the user’s username and password. Is there an alternate way of doing so using a master key, like what Parse has?
Create a service user, add it to the necessary security groups, in your cloud code login as the service user before executing your actual code.
There is also another approach. When business logic makes an API request with the “Server Code” secret key, Backendless will assign the “ServerCodeUser” role to that request (it is one of the built-in roles). You can assign special permissions to that role either globally or to individual tables/objects.
Thank you for the advices. I will check them out.
Just one question, can this “ServerCodeUser” alter the entries in the “User” table?
ServerCodeUser is a role. By default it can do everything (just like any other role)
How does this work in practice? I have a logged in user and their relationships and permissions are important initially. But, at some point, I want to escalate permissions to ‘server’ level so I can edit things in my controlled business logic which the logged in user isn’t permitted to do directly.
Ideally this would be a single method call to activate. As it is I can’t see how I can either login as a user with a suitable role in business logic, or make a FIND / UPDATE request to the persistence API with a server secret key (not that that key seems to exist, I was wondering if it’s just when business logic makes a FIND or something but that would invalidate all permissions logic).
I did an experiment, the assignment of ServerCodeUser seems to happen behind the hood. I managed to update the info of the User from the business logic without any additional method to activate the ServerCodeUser.
In practice when business logic makes an API request, it will use the Code Runner Secret Key. The backend assigns the ServerCodeUser role to any request which uses that key. As a result, you can assign special permissions to that role and it will be able to perform operations that a regular user would not be allowed to do.
My question comes about because i’ve denied all direct table access to roles apart from server so that only my business logic can make changes. But, when I run the business logic now it is unable to find the objects connected on a relationship to the current user or create an entirely new table row (User has no permission to create entityServiceException), so it seems to be using user permission instead of server permission.
Does your business logic code perform a login or sends API calls as an un-authenticated user?
I don’t know how to do that. The UserService doesn’t seem to be available to login as a different user. The business logic is called by a logged in user, but that seems to just mean I can get their userId and then find them, not that they are actually logged in.
So, as I understand it, in my business logic there is no logged in user and any request I make, such as
List<X> result = Backendless.Persistence.of(X.class).find(dataQuery).getCurrentPage();
should run as a server user which has full permission within the system. But that request returns zero results. Creating a new object with
returns the above exception due to lack of permission.
I should note that the business logic is currently in debug and being run from the REST interface with local debugging.
Could you please attach a screenshot of the Roles permissions for table X?
I have currently set the permissions on all data tables as per the attached image, the intention being to deny all access other than by business logic. The Users table is a little more permissive as I want unauthorised users to be able to register (Create).
Please try granting explicit (green mark) permissions to the ServiceCodeUser role. Also, enable permissions for the NotAuthenticatedUser. It is the combination of NotAuthenticatedUser and ServiceCodeUser that enables access for the business logic code. Since all other keys are disabled, access for the NotAuthenticatedUser does not create a hole.
Let us know if that helps.
Ok, that makes sense, thanks. I have modified the not authenticated role permissions and the service is working now.
Great! Thanks for confirming that.