How does security in file service work?

Hi guys,
I’m trying to apply a security to one of my folders under the web folder in File Service. I only want authenticated users to be able to view these files.
I read this article and implemented according to my understanding.
http://support.backendless.com/public/attachments/1dbbf2ce609995890153fbd6dfc9f35a.png</img>
Problem I’m having is that I am still able to view files in the said folder even if I’m not authenticated.
Also, I read this other article on implementing an even more strict security wherein I only want users to have access to their own files and should not be able to access other users files. On this article, there is a method to grant access for a user.

To grant access for a user

FilePermission.READ.grantForUser( userid, url, responder );
FilePermission.DELETE.grantForUser( userid, url, responder );
FilePermission.WRITE.grantForUser( userid, url, responder );

If I use the above method, will it automatically deny all other users to that file?
One more thing. Is it a good idea to put user upload files in the web directory instead of the root directory? Are there any disadvantages in doing this?
Appreciate any feedback.
Regards,
Allen

Hi Allen,

For this problem:

Problem I'm having is that I am still able to view files in the said folder even if I'm not authenticated.

Where are you looking at the files? In Backendless Console?

For the second question where you used the “grantForUser” API, it will change the permissions only for the user you specified.

As for the placement of the files (root vs. web), it is recommended to place them into a directory since you can specify security restrictions on a folder, but would not be able to set them for the root.

Regards,
Mark

Hi Mark,

When you asked me this,

Where are you looking at the files? In Backendless Console?

I suddenly realized my mistake. I’m supposed to get the public url and try it on a different browser session aren’t I. Which I did just now and I got exactly the error message I was hoping for.

{
    code: 4000,
    message: "User has no permissions for specified resource"
}

Sorry about that.

For the second part, when you said

it will change the permissions only for the user you specified

Does it mean that I still need to do the following:

FilePermission.READ.denyForAllUsers( url, responder );
FilePermission.DELETE.denyForAllUsers( url, responder );
FilePermission.WRITE.denyForAllUsers( url, responder );

Then perform the following:

FilePermission.READ.grantForUser( userid, url, responder );
FilePermission.DELETE.grantForUser( userid, url, responder );
FilePermission.WRITE.grantForUser( userid, url, responder );

In order to allow access to owner only?
For the third part, I created a folder uploads and placed it under web. So it doesn’t matter whether I place it in /root/uploads as compared to /root/web/uploads?
Thanks,Allen

Hi Allen,

Yes, you’re correct, it would require 2 sets of calls (one to deny for all, and the other to grant for a specific user).

Regarding the path, it would not matter whether it is /root/uploads or /root/web/uploads.

The significance of the /root/web directory is it becomes the “root” of your “web app” if you were to assign a custom domain to your Backendless app.

Regards,
Mark