Having Trouble Securing Files

Kelly_Oglesby · September 10, 2021, 2:33am

I have a subdirectory under app-files. I want any logged in user to be able to create files in that dir. When a file is created, I use an afterSaveFileFromByteArray event handler to set the permissions on the file to give full access to the user that created the file, and to any user with an app-created Role called ‘Administrator’. I explicitly turn off all access for AuthenticatedUser and NotAuthenticatedUser, then explicitly grant it for the user, and for the Administrator role. Here is the current handler:

Backendless.ServerCode.File.afterSaveFileFromByteArray('app-files', async function(req, res) {
    await Backendless.Files.Permissions.READ.denyForRole("AuthenticatedUser", req.context.eventContext)
    await Backendless.Files.Permissions.DELETE.denyForRole("AuthenticatedUser", req.context.eventContext)
    await Backendless.Files.Permissions.READ.denyForRole("NotAuthenticatedUser", req.context.eventContext)
    await Backendless.Files.Permissions.DELETE.denyForRole("NotAuthenticatedUser", req.context.eventContext)
    await Backendless.Files.Permissions.READ.grantForUser(req.context.userId, req.context.eventContext)
    await Backendless.Files.Permissions.DELETE.grantForUser(req.context.userId, req.context.eventContext)
    await Backendless.Files.Permissions.READ.grantForRole("Administrator", req.context.eventContext)
    await Backendless.Files.Permissions.DELETE.grantForRole("Administrator", req.context.eventContext)
});

When I try to access these files from a user account that has the Administrator role, GETS fail with Bad Request unless I turn on access for AuthenticatedUser. But then ANY logged in user can read the files, which trashes the entire plan. I won’t bore you with all the various combinations I have tried to implement this scheme. I think it would save time if someone would please just tell me exactly what permissions to set on the directory and on each file in it to achieve the simple goal described above (anyone logged in can create, only user who created file or anyone who has Admin role assigned can read or delete).

Also, is there any point at all to allowing or denying write permission to a File, as opposed to a directory?

Thank you,
Kelly

app id 8149FCCE-07DA-F988-FFBB-6154872C9500

Kelly_Oglesby · September 15, 2021, 6:23pm

I ended up scrapping the Admin role, and just using one account for administrative duties and hard-coding its object id in the handler that sets permissions. Now the user who created the files and the Admin user account can both see the files - not optimal, but it works. However users of the Admin account now get unexpected “invalid user token” errors trying to access the database. So another question: if multiple users log in using the same account, and one logs out, does the user token for the other user(s) get invalidated?

Thanks

sergey.kuk · September 16, 2021, 9:34am

Hello @Kelly_Oglesby

it depends on the user login policy, by default if you login, all other previous user tokens became invalid. To change the behavior go to Backendless Console → Users → Login section and choose a policy that will match to you