Support Topics Documentation Slack YouTube Blog

Permisisons not functioning as expected

Backendless Version (3.x / 5.x, Online / Managed / Pro )

Online

Expected Behavior

Inherited permissions should allow me to retrieve the objects via the Rest Console

Actual Behavior

Inherited permission does not allow me to retrieve objects

Reproducible Test Case

Please see screencast of the issue here: https://dsc.cloud/a4f6b1/CleanShot-2021-03-22-at-11.29.34.gif

Am I misunderstanding how inheritance works?

Also curious is that the same results are returned when I call the REST endpoint without being authenticated, despite the fact that my NotAuthenticatedUser does not have Retrieve permissions for this object.

Any help in understanding this will be greatly appreciated as the application we are doing a proof of concept for has some complex auth requirements.

Thanks.

Hello @Evan_McDaniel

Thank you for sharing this issue.
I just created an internal ticket BKNDLSS-24519 to investigate this.
Our engineer is going to check is as soon as possible.

Regards, Vlad

Hello @Evan_McDaniel,

We have investigated the issue. Please check out the doc Security - Backendless REST API Documentation We will remove object acl support, so I will simplify the layered order of the decision:

1. Table permissions for the User account
2. Table permissions for the user-defined roles
3. Owner Policy
4. Table permissions for system-level roles
5. Global user-defined roles
6. Global system roles

When you call GET for the first time you have:

  1. Permission only for Global system roles. layer 6
  2. You are not authorized and you use rest API key so you will have 2 roles: NotAuthenticatedUser and RestUser
  3. NotAuthenticatedUser has denied permission, RestUser has grant permission both on the same layer

Both roles are on the same layer (6). If some of the permission on the same layer is DENY operation will be not allowed. That is why you do not get any object.

When you call GET for the second time you have:

  1. Table permissions for system-level roles layer 4
  2. You are not authorized and you use rest API key so you will have 2 roles: NotAuthenticatedUser and RestUser
  3. NotAuthenticatedUser has denied permission on the 6 layer, RestUser has grant permission on the 4th layer

To make a decision we will count only RestUser because it has a higher level that is why you get objects.