I’m thinking out load how can I know that it wouldn’t happen again… maybe I need to move all my logic to services and deny direct access from outside… Do you have other suggestion?
I just want to explain my concerns. Since I implemented multi-tenant architecture I’m counting on the handlers to limit the queries to items relevant to that user. For example running the beforeFind handler will add the following to the where clause automatically:
Hello Inna,
Thank you for contacting me again. It didn’t happen again but because it has huge impact on my application vulnerability (because I’m using it to enforce multi-tenancy roles) I must to something.
Unfortunately I must allow access by javascript to the application for back office so the option to use only BL is not possible.
I was thinking maybe instead creating a timer that will query some tables every 1 minutes to verify the content it receives (obviously it will use the rest api key).
But i’m wondering if I should check all the APIs exposed or only find…
It’s hard for me to say exactly how you need to redo the logic. You need to try and make your logic to the expected result. We will try to make sure that the situation that you have encountered does not repeat itself.
Hello,
The issue happens again. If you will access my application you will be able to reproduce it now with a table named loginsAudit. Last time it resolved it self after some time so if you can check it now it would be great!
As mentioned I’m counting on those handlers to enforce multi-tenancy, without it everyone can access other tenant information.
Because it happens randomly I cannot run an API monitor to capture it, if I will do that I need to run it against all types (find, create, update) for all the tables which doesn’t make sense.
Thank you for the video.
I believe it doesn’t run Bl because of Roles Permissions.
I can see that you are logged-in in the REST Console, so make sure this user has access to the data.
@vladimir-upirov I unchecked the “solution” mark because the original issue is not related to the followup one. In the original one I saw all the records the table had because the filter I add in the beforeFind handler wasn’t added as the handler was not invoked.
I understand you correctly don’t have a way to reproduce it. For now it didn’t happen again but I keep this thread as-is if you will find a reason of if it will happen again.
I really need your advice here. If I’m doing something incorrectly let me know, if this is a bug I need to know that you found it and when it is going to be handled.
If you don’t think it is that important let me know so I will be able to decide how to proceed.
I LOVE Backendless and already spent so much time learning the platform, interacting with the features and building an application that should help institutes in Israel during the Corvid. Backendless provides such an amazing platform with custom code generation, powerful console, great documentation, server services, roles… what’s not. I’m amazed with its capabilities. But if it fails in the security / stability areas I’m lost.
I really hope you will find a problem on my side and I will then apologies for writing the above. Otherwise, I need you to give a hand and figure it out.
Eran
P.S
Although in Herbrew, you can see how it affect the application as user can select and set relations of cross organizations
It is my understanding that previously the handlers were not invoked because the currently logged in user didn’t have permission to the tables. So when you say it happens again, is it for the same reason?
Hi,
I had an issue with the size of the video I sent to the support, I resent it with a link to google photos.
Regarding your question, see the original problem (the first thread). I’m experiencing the same thing as the original issue which is not related to permissions. Oleg Vyalyh tried to reproduce it but when he tried to do it, the handlers already started working.
@mark-piller I was (too) happy you responded fast (2 minutes after reporting the issue) but eventually it was not resolved and production is still broken.
To Summarize
Backendless handlers are defined to be executed for all tables using *.
Backendless execute the handlers only on some of the tables.
What it means
Users see information they shouldn’t see (data leak / security concern).
I need to take down the application until it is resolved although tomorrow ~150 parents should start using it.
I cannot add more organizations to the application although it was architecture to support many (~2k-5k parents every day that we have school and we are not in quarantine).
What I need
I need it to be resolved either by saying to me where I did wrong in the permissions matrix or by fixing something on your side if there is a bug.
As it still happens after 10 hours, please assign someone to check it now before it will be “resolved on its own” like it happened 8 days ago. Answers like the following are not helpful:
Honestly, nothing.
and
There is one thought, that it can be related to the new release which was yesterday. Maybe some old information about tables state were cached. Anyway, now i can not say much about that.
How to reproduce
enter the REST console of table Classes
pick JS Api Key
don’t login with a user
sort by name and query get → actual behavior: handlers are not triggered and I get a response with all the data on that table
enter the REST console of table PickupTimes
repeat steps 2-4 → actual behavior: handlers are triggered.
@mark-piller
Correct me if I’m wrong - there are two types of support cloud code in Backendless: Handlers and services (and timers which are not relevant at the moment to this thread)
Services are used to extend the supported logic by the server. You can add logic and a user can call them. If the service is not called the user don’t get access to that service
Handlers can shape the response provided by the SDK. This is the only way to enforce policies and if needed to short circuit the response. Before handlers let you shape the query or modify the mutation while After handlers let you omit or add data to the SDK. There is no other way to do that and if handlers although defined are not being triggered, the user get access to the data directly.
taking from node servers, handlers are like middlewares that guard the application from exposing undesired data.
When I was planning the architecture of the multi-tenancy you responded that I can either create an application to every organization or use one instance with handlers (in slack support channel). Later someone else responded that If I need to support readonly/write logic I can add new column to user instead of using roles. Both suggestions make sense and led to the way I architecture multi-tenancy and handlers are the ‘middlewares’ that holds the magic.
This is why I consider it as data leak / security issue. Without handlers multi-tenancy doesn’t work
Issue 1.
You invoke a GET operation on a table and are getting a result. Is the expectation that the server doesn’t return data because the permission is not there?
Questions:
what are the names of the tables where it works and doesn’t work?
what are the parameters you are passing into the request?
Issue 2
You have an event handler for the find operation that applies to all tables. The handler is invoked for some tables and is not invoked for others.
Questions:
what tables is the handler invoked for?
what tables is the handler NOT invoked for?
The more precise you provide the answers, the faster we can resolve the issue.
