Hi Backendless Team,
Application ID: censored
I’m having an issue with owner policy whereby the owner can update their user object even though the api key they are sending the update with has a deny X on the Update function:
UserRole with UPDATE set as DENY X
Object in question testing with:
Testing an update of their object using the API Key (the user is logged in and I’m passing the user token in the header)
The object is updated and admin is now set to true.
It was my understanding that if the API they are using explicitly denies UPDATES that it would stop all updates on that table regardless of the owner policy.
The owner policy does have update to true:
But as I mentioned above the API key is deny so it should block this?
I only want to be able to update that admin flag via the cloud code, it works fine if I set the user as not owning that object.