Initial Permissions - Deny all

ilpiccone · April 16, 2020, 2:14pm

I just started with backendless. Created first tables. I was surprised to see the by default all routes are allowed for all users?
unauthenticated user could already to every method on the API.

From other REST solutions I looked at so far (e.g. feathersjs, strapi) all routes are by default disables and must be enabled.

On global permissions, everything is allowed per default and it looks like the checkmarks have to be set individually for every role?!

Am I missing something?

vladimir-upirov · April 16, 2020, 2:27pm

Hello Silvan

Yes, everything is allowed by default, but you can go to Users -> Security Roles and disable everything you need, and then enable permissions individually in particular services such as Data, Files, Messages etc.

here is a doc about permissions
https://backendless.com/docs/rest/users_global_permissions.html

Regards, Vlad

ilpiccone · April 16, 2020, 5:12pm

Hi Vladimir,

Thanks for the quick reply. Thats a very strange way backendless tackles security (Default deny all) e.g. https://securosis.com/blog/network-security-fundamentals-default-deny

at least there should be a way to disable all roles and users by default. At the moment I would have to make over 200 clicks to set deny all for all system users and then enable when needed.

Any seems to be as it is. Guess that might not work for me as is.
Thanks again!

Silvan

mark-piller · April 16, 2020, 6:44pm

Hi @ilpiccone,

When someone starts working with backendless and they have no files, no data tables, no messaging channels, no users AND if they start with everything being locked down and they cannot make a sinqle API query, it results in a very frustrating and unpleasant developer experience. I appreciate you sharing your point of view, but politely we disagree with you about keeping it closed by default. I do agree with you that it is very inconvenient to deny all permissions by clicking them one by one and that is something we will definitely improve.

Cheers,
Mark

ilpiccone · April 16, 2020, 7:39pm

Hi Mark,

Thanks for the reply. Fair enough! I see your point to get started quickly. Just hope creators don’t forget to change settings when going live (e.g. for unauthenticated users). But guess thats up for preference.
Would be great the changing the setting could would be streamlined. Happy to give it another shot.
We’re currently using strapi hosted on digitalocean, which works quite nicely. I like the fully integrated approach of backendless.

Really appreciate the fast feedback here. thanks again.
BR
Silvan

vladimir-upirov · April 17, 2020, 6:25am

Hi Silivan,

I’ve created an internal ticket to improve this, the ticket’s number for ref is BKNDLSS-21140

Regards, Vlad