Support Topics Documentation Slack YouTube Blog

File Security settings don't appear to work

I have the following permissions set on the file system. I wrote a piece of java that does a listing() and printing out the URL, then I grabbed a random web browser and put the URL in and it displayed the resulting file. Why would it allow the file to be downloaded via URL if all the permissions are set to deny,
except for ServerCodeUser?

I have asked others to test the URLs and they can retrieve the file with no problems.

There are two URLs for every file. One of them is “attached” to your developer session with console. And the other is the public URL:

Which URL did you use?

Apparently there are possibly 3 URLs. See below. First URL is from the Java Listing() api call. Second is the public URL on the right you are pointing out. Third URL is the developer URL on the left you are pointing out.

There definitely is a difference between the 3

When I try the Java Listing() URL, i can use it anywhere. Desktop and Mobile, Firefox, Safari, etc.


When I try the Public URL, it correctly puts up the error message

Screen Shot 2020-06-16 at 2.44.29 PM

When I try the developer URL. I get a login prompt.

So in this case, the URL from the Java Listing() function appears to present a URL that doesn’t adhere to the permissions settings. Am I seeing this correctly?

The difference between first and second URLs is the API key. See the documentation for the details on the structure of the URL:
https://backendless.com/docs/rest/files_file_upload.html
Where it says REST-API-key in the URL, it can be ANY API key for your app. The API key will dictate what security permissions will be applied. When the URL has the Coderunner API Key, then the permissions associated with the ServerCodeUser role will apply. What this means is when you fetch the directory listing from your business logic in Java, the returned URLs will contain the Coderunner API key, since the server makes the assumption that if the server-code requests the listing, then it will be the server code who will use the provided URLs.

Regards,
Mark

Excellent, Thanks!