Are there reasons that you don’t use public-read = YES and public-write = NO as default ACL permission? To me, this is the most understandable default permission setting.
Something is also confusing. I disabled authenticatedUsers to update Users table. But I enabled Update permission in owner policy. But it turned out I don’t have permission to Update the owner’s property.
Concerning your first question - Backendless grants all permissions by default - it seems more understandable for users that just start using Backendless.
About Owner Policy question. Here’s the list permissions priorities:
- ObjectACL for user and roles. if user or role permission is granted than object will be in accessed list. If there is no restriction than check next layer.2. Table permissions for the User account 3. Table permissions for the user-defined roles4. Owner Policy5. Table permissions for system-level roles6. Global user-defined roles7. Global system roles
Since Owner Policy has higher priority than permissions for system-level roles (such as Authenticated User), the owner should have the ability to change his objects (the objects that have ownerId == objectId of the logged in user) even if this operation is denied for authenticated users.
If you try to change ownerId for your BackendlessUser (which sounds strange actually) - you should be able to do it only once - because next time the object will already have another ownerId and hence Owner Policy will not be applied.
Thanks for the explanation Anatolii. It is very useful.
To me it will be more understandable for objects that have all permission for owner by default but only read permission for others.
If I want to implement this by myself, do I firstly deny all permission for all roles and grand find permission for all of them?
Thanks a lot!