Also curious is that the same results are returned when I call the REST endpoint without being authenticated, despite the fact that my NotAuthenticatedUser does not have Retrieve permissions for this object.
Any help in understanding this will be greatly appreciated as the application we are doing a proof of concept for has some complex auth requirements.
Thank you for sharing this issue.
I just created an internal ticket BKNDLSS-24519 to investigate this.
Our engineer is going to check is as soon as possible.
We have investigated the issue. Please check out the doc Security - Backendless REST API Documentation We will remove object acl support, so I will simplify the layered order of the decision:
1. Table permissions for the User account
2. Table permissions for the user-defined roles
3. Owner Policy
4. Table permissions for system-level roles
5. Global user-defined roles
6. Global system roles
When you call GET for the first time you have:
Permission only for Global system roles. layer 6
You are not authorized and you use rest API key so you will have 2 roles: NotAuthenticatedUser and RestUser
NotAuthenticatedUser has denied permission, RestUser has grant permission both on the same layer
Both roles are on the same layer (6). If some of the permission on the same layer is DENY operation will be not allowed. That is why you do not get any object.
When you call GET for the second time you have:
Table permissions for system-level roles layer 4
You are not authorized and you use rest API key so you will have 2 roles: NotAuthenticatedUser and RestUser
NotAuthenticatedUser has denied permission on the 6 layer, RestUser has grant permission on the 4th layer
To make a decision we will count only RestUser because it has a higher level that is why you get objects.