Just when I thought that I finally have good understanding of Backendless Permissions model I stumbled across Relation “peculiarity”:
When you have table A, with relation column to table B, then permissions of table B isn’t enforced on data read/written through relation!
More detailed:
I have table “Inventory” with column QtyType - 1to1 relation to table
QuantityType. Rows in QuantityType table shouldn’t be updated by
anyone, only used as reference, so, in QuantityType permissions I set ‘deny’ to update to authenticated user. All rows in QuantityType created by User A, but when user B creates Inventory entry he can rewrite data in QuantityType! Same with reading ability, even when table B have “deny” in “find” permission it’s possible to read it in table A if it have relation column.
It’s not documented and extremely confusing.
HI!
This issue was already discussed here:
“Unfortunately, this is the expected behaviour for now - we don’t yet support checking permissions for related entity. Though it may be fixed in the future, we can’t provide any exact time frame.”
http://support.backendless.com/t/permissions-dont-seem-working
I see. Please consider at least mentioning that in documentation
Ok, I will add internal task.