The quality of the video I uploaded to Google is bad, I will re-send using another service
Was the original problem explained in this response?
No,
The issue I’m experiencing now it the same as the original issue of this post.
The one you are quoting is a different issue that I thought at the beginning is the same but it turned out to be a different one.
Please see the video I sent, I talk during you will see the problem there which is the same as the one I originally wrote in this ticket
@mark-piller I was (too) happy you responded fast (2 minutes after reporting the issue) but eventually it was not resolved and production is still broken.
To Summarize
- Backendless handlers are defined to be executed for all tables using
*. - Backendless execute the handlers only on some of the tables.
What it means
- Users see information they shouldn’t see (data leak / security concern).
- I need to take down the application until it is resolved although tomorrow ~150 parents should start using it.
- I cannot add more organizations to the application although it was architecture to support many (~2k-5k parents every day that we have school and we are not in quarantine).
What I need
I need it to be resolved either by saying to me where I did wrong in the permissions matrix or by fixing something on your side if there is a bug.
As it still happens after 10 hours, please assign someone to check it now before it will be “resolved on its own” like it happened 8 days ago. Answers like the following are not helpful:
Honestly, nothing.
and
There is one thought, that it can be related to the new release which was yesterday. Maybe some old information about tables state were cached. Anyway, now i can not say much about that.
How to reproduce
- enter the
REST consoleof tableClasses - pick
JS Api Key - don’t login with a user
- sort by
nameand queryget→ actual behavior: handlers are not triggered and I get a response with all the data on that table - enter the
REST consoleof tablePickupTimes - repeat steps 2-4 → actual behavior: handlers are triggered.
both table share the same permissions matrix
Eran
Please help me understand how invocation of handlers is related to a data leak?
Security in Backendless is enforced by applying roles and permissions to API operations. Invocation of business logic is irrelevant to that subject
@mark-piller
Correct me if I’m wrong - there are two types of support cloud code in Backendless: Handlers and services (and timers which are not relevant at the moment to this thread)
Services are used to extend the supported logic by the server. You can add logic and a user can call them. If the service is not called the user don’t get access to that service
Handlers can shape the response provided by the SDK. This is the only way to enforce policies and if needed to short circuit the response. Before handlers let you shape the query or modify the mutation while After handlers let you omit or add data to the SDK. There is no other way to do that and if handlers although defined are not being triggered, the user get access to the data directly.
taking from node servers, handlers are like middlewares that guard the application from exposing undesired data.
When I was planning the architecture of the multi-tenancy you responded that I can either create an application to every organization or use one instance with handlers (in slack support channel). Later someone else responded that If I need to support readonly/write logic I can add new column to user instead of using roles. Both suggestions make sense and led to the way I architecture multi-tenancy and handlers are the ‘middlewares’ that holds the magic.
This is why I consider it as data leak / security issue. Without handlers multi-tenancy doesn’t work
To summarize what you’re doing:
Issue 1.
You invoke a GET operation on a table and are getting a result. Is the expectation that the server doesn’t return data because the permission is not there?
Questions:
- what are the names of the tables where it works and doesn’t work?
- what are the parameters you are passing into the request?
Issue 2
You have an event handler for the find operation that applies to all tables. The handler is invoked for some tables and is not invoked for others.
Questions:
- what tables is the handler invoked for?
- what tables is the handler NOT invoked for?
The more precise you provide the answers, the faster we can resolve the issue.
Regards,
Mark
I think both issues can be reproduce by following this flow. I quoted the relevant part with reproducing scenario:
I provided detailed answer to your question.
Note that I’m using only the JS API key and cloud code api key
Issue 1.
You invoke a GET operation on a table and are getting a result. Is the expectation that the server doesn’t return data because the permission is not there?
Questions:
- what are the names of the tables where it works and doesn’t work? answer: Today
Classesdoesn’t work.FamilesandPickupTimesworks. 8 days agoPickupTimesdidn’t work as well. - what are the parameters you are passing into the request? answer: regular query parameters. sort by name with js api key
Issue 2
You have an event handler for the find operation that applies to all tables. The handler is invoked for some tables and is not invoked for others.
Questions:
- what tables is the handler invoked for? answer: today I can confirm
FamiliesandPickupTimeswhich are both exposed by JS key - what tables is the handler NOT invoked for? answer: today
Classes, 8 days ago alsoPickupTimesbut now that table works
Thanks, our engineers are investigating. We will report back our findings.
Regards,
Mark
1 Like
Eran,
How do you deploy your business logic? Do you do it through the CODING tab or using code runner?
We tried creating a test event handler for beforeFind (Backendless allows multiple) and once we added it, the event handler for the Classes table started working.
Basically it works now, but it needs to be investigated where we can reliably reproduce the problem so we can fix it. If you could try recalling what actions led to the problem, it would be very helpful.
Regards,
Mark
Hi Mark,
Thank you for working on it.
It happened today after exiting a local development thread. The first time after deploying using code runner
I love the coderunner as it allow writing and debugging locally and i have a lot of BL.
Does it help?
Hi Eran,
Thanks, but I need further clarification. Could you describe what you meant by “after exiting a local development thread”? Ideally, it would be great if you could describe your actions as:
- did X
- did Y
- did Z
- problem appeared
Regards,
Mark
Sure i will respond once i will be near my computer
Ok, I sent support email the project I’m using to debug & deploy my application to Backendless
General
- It is typescript based project, the compiled / deployed content is in folder
lib - I’m using node v12
Project Setup
Use the following if you want to run it to a development instance, otherwise you can skip this part and just see the project content.
- extract the zip file I sent to the support email.
- rename
coderunner.tpl.jsontocoderunner.jsonand modify propertiesidandapiKey. - run
npm install
Option 1 - debug locally
use npm run debug to compile the typescript into lib folder and to run coderunner in debug mode (coderunner debug). I’m using a code to monitor changes so once I change the code it re-compile and redeploy in debug mode
Option 2 - deploy to Backendless
use npm run deploy to compile the typescript into lib folder and to run coderunner in deploy mode (coderunner deploy).
What I did before problem appeared
- Yesterday it happened after running option 1 (debug). during the debug everything worked as expected.
- Once I was done with the debug, I pressed
ctrl+cto exit the debug mode. - I didn’t re-deploy after that so Backendless went back to use the the production version that was already previously deployed.
- problem appeared
Thanks again for helping
Eran
1 Like
@viktor.liablin I’m just letting you know that it happens now again with table PickupTimes 
I have no choice but to limit the application users to perform only readonly actions and transfer calls relying on JS sdk into cloud code.
I really hope that you will find the problem, although in my case I’m not going anymore to use the SDK. For now I will use only services and will need to figure out how to proceed.
@Eran_Sakal , was the sequence the same as you described earlier? That is, you quit local debugging and the problem started happening?
Regards,
Mark
yes, I debugged something and then stopped debugging
@mark-piller you will not be able to reproduce it on my application because I disabled the permissions of the js sdk