Guidance on security

I guess the best way for securing data (blocking people from grabbing api calls and repeating them) is with the owner policy only allowing a user to update their own data. But what about something like a friend request where accepting a friend would add them to your friends column as well as the other user’s? Needing to modify data that isn’t owned by you, some server code?

So far I’ve come up with either a beforeDelete event to do validation with server code or a custom event.

Any help is appreciated.

Hi, @mudasar-javed

I can suggest that you create a custom role and assign it to those users who should have access to the objects you want. Would this work for you?

Regards,
Marina

Hmm no i dont think so because every user would have the abilitiy to accepty or deny a friend request. I think the best way is to have a beforeDelete event on the friendRequests table that only allows either of the two users to delete it and blocks any other attempts. And for stuff like a blocked list or thumbs upping another user custom events with validation. A server code user would still be allowed to make changes regardless of the owner policy right?

Thanks,
Mudasar

Hi @mudasar-javed ,

No, server code user will also regard owner policy.

Regards, Andriy

@Andriy_Konoz if the server code user cant modify objects it doesnt own how can I achieve this functionality while having owner policy in place? I dont see why the server code user wouldnt be above the owner policy.

Hi @mudasar-javed ,

I would recommend you to look at ObjectACL to reach your goals. You can configure permissions for each record individually.

Unfortunately at the current moment you can’t use combination of “Owner policy” and “Object ACL” due to bug related to priority of these policies. There is an internal ticket BKNDLSS-27500 for it. We are working under a solution for this problem.

Regards, Andriy

@Andriy_Konoz I could create a new friendRequest record and only allow the participating user’s to delete it but how would I then update the other user’s properties to add to their friends list? Also for something like thumbs upping a friend I would need to be able to modify their thumbsUps property. If i could allow server code to override the owner policy all these issues could be fixed pretty easily, I look forward to the solution. It looks like its been a thing since 2016 though How can I - 'Allow update only by owner, but only through server code ' ??, so I hope we can get a quick fix.

@mudasar-javed ,

Unfortunately we can’t make server code user ignore owner policy since it will break backward compatibility which will break other apps. I would suggest you to try to use approach described in referenced topic - create beforeUpdate event handler and check owner in it.

Also it seems to me that in case when you want to control modification of single property it will be better to do it using own custom service.

Regards, Andriy

hey @Andriy_Konoz, wouldn’t it be possible to have this functionality behind a toggle that’s defaulted to false to preserve backwards compatibility? I’ll use the beforeUpdate event listener for adding friends and thumbs upping for now, just think server code over owner policy is a pretty powerful feature.

Thanks,
Mudasar.

Can you provide an example where for the same table:

  1. you want the owner policy to apply for the API made from the client side

and

  1. bypass the owner policy for the cloud code logic?

In my mind, a properly designed app where you want to impose additional security checks would rely strictly on cloud code/API services and the APIs from the client-side would be restricted. A system where you mix-and-match owner policy with cloud code would become rather kludgy.

Regards,
Mark

Well something as simple as a users table with a column for thumbs ups or something like that, which their friends can increment. I wouldn’t want anyone besides the owner to be able update the record apart from their friends incrementing the thumbsUp column.

In this scenario I can have an owner policy in place and just use a custom cloud code event with a check to make sure the requested user is a friend and hasn’t previously thumbsUpped before updating the record.

Same for a friend request system where accepting a request adds the other user to your friends column as well as you to their column.

Me having my own beforeUpdate for the whole users table and rejecting any attempts to modify records that aren’t their own would be mimicking this functionality, just thought server code over owner could simplify the process.

Thanks,
Mudasar.