OwnerId security control with Rest

Hi Support

I have a scenario with backendless which I cannot work out. Here is a simplified explanation.

Imagine that I have a table which contains a list of messages. The user creates their messages and the admin responds with their messages all tied together by a key. The problem I have is that if from a security perspective the user retrieves only messages their permitted to see based on owner, however, the messages from the admin are not retrieved because the owner is different.

In backendless how would I solve this problem because I don’t want to expose all other users messages to the outside world.

Appreciate any suggestions. I thought that I might be able to change the owner to the user once the admin posts their message but that appears to not be supported.

Thanks

Steven

Hello,

You should divide your users to groups. Each group should be a role. When admin checks a message, he grants object acl permission on the object for a group.

Hi Sergey

Thanks for the message. Is the term groups a backendless term/feature or a general term? Do you have documentation pointers? I’m an using REST.

Thank you

Steven

When I say group I mean user role

Hi Sergey

Got it. But I am receiving an error. Please confirm this is correct:

I am calling the following endpoint:

https://api.backendless.com/xxx/xxx/data/product/permissions/GRANT/9C108E0E-E277-2BDC-FF52-083DCAE91F00

Put request with a valid user token with the following body:
{
“permission”: “FIND”,
“user”: “xxx”
}
But i am getting a

Backendless encountered an error while handling the request.

Any ideas?

Sergey. Sorry. I made a mistake. Just realised that in the url above it should read products and not product. All sorted thank you.