I’m just starting testing backendless and have some questions that I can’t find answers to. Hopefully you can help.
Background: everything is http rest api calls and I’m using backendless cloud. Permissions are currently enabled for everything while initially testing.
api-key does not appear to be enforced. I am calling [myappsubdomain].backendless.app/api/users/login with only email/password and it processes the login without needing the api key. The documentation says the api-key needs sent, but it isn’t needed for this, so I’m puzzled about what needs it?
I have some questions about roles and want to make sure that I understand. First, I do not want any access for unauthenticated users. Does the built-in user login/registration system work correctly if NotAuthenticatedUser is set to Deny All? And if the Rest role has some permissions, would those be added or does not authenticated supersede everything else?
I only want users to have access to their own records. I see that ownerID is automatically created on tables. Do the Owner Policy settings on the table supersede the role permissions? Does this just require the user token sent in the headers? In other words: if I deny all to authenticated and rest users but add owner policy permissions to each table and send the user token in the headers, does this accomplish the permissions how I am thinking it will?
Does the auto-generated OwnerID field replace the need to traditionally add a userID field for the relationship between a user table and data linked to that user? I just want to make sure it can be used in the same way… eg. get all records from table X where ownerID = Y.
On a POST to add a record, does the system add this ownerid automatically when user-token is sent or does ownerID need sent directly?