Filter Find Results Based on Related Item's Value

REST
1

I’m pretty new to Backendless, and I’m investigating ways to provide some support for fine-grained access control, i.e., only return data or allow operations on data related to the “domain” (see below) of the user issuing an API call against my database.

  • I have a domain table and an asset table, in addition to the provided user table.
  • Each user is connected to a particular domain (1:1).
  • Each asset is connected to a particular domain (1:1).
  • When issuing a get on assets, I want to return only the assets that are connected to the logged-in user’s domain. Whatever is consuming the api should have no idea that there are other assets connected to other domains.

My initial thought is to build an event handler after find on asset, to only return assets that are connected to the same domain that the logged-in user is connected to. Is this the best approach? If not, suggestions are welcome. If so, could I please have some guidance as to how to write a Codeless filter that checks to see if the asset’s related domain is the same as the user’s related domain?

Thanks so much for any assistance!
John

2

Hi John,

There is more than one way to accomplish what you describe. The first approach can be query-driven. The query to retrieve assets (indirectly) related to the user would through the following where clause:

Domain[asset].Users[domain].objectId = 'current user objectId value'

The structure of the query may not be the most intuitive if you’re just getting started with the platform. Here’s a simple way to see how I put it together - the Asset table has the following incoming relation (meaning it is a relation where Asset is a child table). Notice in the header it says relation from: Domain[asset]

Data Browser - DemoApp - Backendless - Google Chrome 2022-02-18 20.05.54
Data Browser - DemoApp - Backendless - Google Chrome 2022-02-18 20.05.541185×461 48.1 KB

So we’re using that part in the query in order to reference the parent object for the assets we need to get in the parent table - Domain.

Exactly the same thing happens in the Domain table - there we have an incoming relation from the Users table:

Data Browser - DemoApp - Backendless - Google Chrome 2022-02-18 20.08.47
Data Browser - DemoApp - Backendless - Google Chrome 2022-02-18 20.08.471495×410 46.8 KB

So when we do the following in the where clause query:

Domain[asset].Users[domain]

we get a reference to the related parent of a parent, which is an object in the Users table.

Finally, we reference a property in the Users table, which is user’s objectId (you can reference any property that way - name, email, etc. As a result, we get the complete query:

Domain[asset].Users[domain].objectId = 'current user objectId value'

What’s the best way to use this query in a secure way? I’d put it into an API service (let me know if you need help with creating an API service in Backendless). In your API service, you can easily get a hold of the objectId of the currently logged in user and structure the query as shown above.

The other way to get this functionality is by using the Owner Policy. This is a special security configuration in your Backendless app where the system will retrieve only objects created by the currently logged in user. To make this work, the objects need to be marked as ones the user created. In fact, that “marking” happens automatically when a currently logged in user saves an object. For instance, in that case, both Domain and Asset objects will have a value in the ownerId column. I am not sure if that use-case applies to your scenario though.

Hope this helps.

Mark