No permission although ServerCodeUser assigned

I have set the permissions for a directory in the following way:

In my backend JS-code, I want to count files/dirs in that folder using the API Backendless.Files.getFileCount().
I’m getting the error “User has no permissions for specified resource”.

From the documentation, I understood, that when calling APIs from my server code, I have the role “ServerCodeUser” assigned. So, I should be able to do anything in that folder.

By configuring access permissions to these roles an application may allow to custom server-side code (ServerCodeUser role), but completely reject access to the client apps (all other roles).

When an API call originates from business logic (Java, JS or Codeless), Backendless assigns the ServerCodeUser role.

Is this a bug, or am I missing something?

Regards

I’m linking this one to my previous, similar issue:

If I don’t get the whole file security topic wrong, these are severe security issues. I won’t be able to go productive without protecting the user’s files.

Regards,

Hi @Klaas_Klever !

I have tried to reproduce your problem im my app with custom BL service but was unable to do it. Could you please create example application with custom service with code which produces thi error?

Regards, Andriy

Hi @Andriy_Konoz ,
I have a test case which is an API Service which uses Backendless.Files.getFileCount to count the nunber of files in a directory which can only be accessed with role ServerCodeUser. While implementing the test case, I’ve found out the following when using API Service console:

  1. If I’m doing the API call as a non-authenticated user, the Backendless.Files.getFileCount call runs through successfully. This is as expected because this call should be done with role ServerCodeUser.
  2. If I’m doing the API call as an authenticated user, then the Backendless.Files.getFileCount call throws an exception “User has no permission …”. This does not make sense for me because I expect that this call is still done with role ServerCodeUser.

So, please repeat your test as an authenticated user. If you cannot reproduce my findings, I’ll send you my test case per email.

Thanks,

@Klaas_Klever

Behavior which you have described in second scenario is valid.
It is described in our documentation:
https://backendless.com/docs/rest/data_security.html

** [LAYER 7] Table permissions for system roles .** .
…If any of the system roles which the user belongs to deny access, the operation is rejected and no data is returned.

In your situation user will have two roles - one with GRANT permission and another with DENY. This will result to DENY permission for operation.

Regards, Andriy

Hi @Andriy_Konoz ,
But in my scenario 1., the caller is a NotAuthenticatedUser for which I’ve forbdidden access. Still the call runs through. I’ve found the following paragraph in the docu

An exception to this rule are API calls from business logic. In that case, if there is no authenticated user in the context of the call, Backendless assigns only ServerCodeUser role. The NotAuthenticatedUser role is not assigned and thus is not checked.

This explains this behavior.
However, I must conclude, that a NotAuthenticatedUser has more access rights in this case than the AuthenticatedUser. Correct?
How to protect then the call Backendless.Files.getFileCount against NotAuthenticatedUsers? I could protect my API Service against NotAuthenticatedUsers, but this is not what I want. I want to let the file system permissions decide whether the call is valid or not.

Regards,

@Klaas_Klever ,

BL API key intended for usage only in your server logic. Since you fully control your code here there is no need in NotAuthenticatedUser for API calls since you can controll access by making additional checks in your code. Unfortunatelly there is no other way to solve this problem.
Sorry for inconvenience.

Regards, Andriy