I’m not sure if this is bug or if I misunderstood permission roles. I’m trying to get data with custom event call for my ios app and also I don’t want unauthenticatd users to have access to any data.
My permission settings for tables looks as in screenshot, basicaly I just disabled access for NotAuthenticatedUser role.
Problem is I cannot get results this way from custom events call, but when I grant ‘Find’ permission for NotAuthenticatedUser, it works as expected.
User is logged in app. I tried also to debug it with REST (with user-token in headers), but with the same result. I could see in debugger runnerContext.userRole=AuthenticatedUser, but unless I granted ‘Find’ to NotAuthenticatedUser, it didn’t return any results from table.
API requests issued by the custom events code do not have the same user identity. By default they go out as un-authenticated. You can change that by using one of the following approaches:
The RunnerContext object provides access to user token associated with the user logged in on the client app. The user token can be set in the headers, thus the security context will be passed on into the API calls made by custom events
or
Create a special user and login as that user in your custom events code. As a result, the API calls will be executed as “authenticated” and your permission model will work.
Ah ok, runnerContext userRole misleaded me, thought API requests would have same credentials.
Adding user token to headers fixed the issue for me.
Thank you for help!
