Execute hosted Business Logic as a specific user

w-upshaw · February 18, 2016, 3:46am

I’ve created some hosted business logic that will be called from an iOS/Android client. The hosted code performs various searches of the Users table.

To ensure the Users table can’t be queried by any random Joe who discovers the API keys, I want to disable NonAuthenticated users access to it - which I’ve been able to do successfully.

The problem is, even though I supply a valid user token along with my call to the auto-generated REST api, I cannot get results from that Users table. I assume that is because the hosted code does not automatically detect the “user-token” header value and run under that user’s permissions context correct?

So, assuming that I only have a user token, how do I run my hosted code within the context of that specific user?

mark-piller · February 18, 2016, 3:59am

Currently hosted services do not impersonate the user who initiated the call. The information which is currently available in the context of a service call includes user’s objectId and roles the user has (assuming that user-token was provided).

If the NonAuthenticated role has no access to anything, an option you have in hosted service is to login as some known “super user” and use that user’s identity to perform all the requests in your service code.

Regards,
Mark

w-upshaw · February 18, 2016, 4:15am

Thanks Mark - can you point me to the documentation that shows me how to access that objectId and roles?

mark-piller · February 18, 2016, 5:38am

Sure, please see the “Invocation Context” section on this page:

https://backendless.com/documentation/api-engine/apieng_invocation_context.htm