Support Topics Documentation Slack YouTube Blog

Permission Bug allowing me to add relations

Hi Team, quick question, I’m just testing out permissions on one of my tables, it seems to be letting me add/set a relation even though I’ve got all of the roles un-ticked for it? I’ve even got it switched off in the global security roles.
The table in question is called BarComplaints, its got a column called BarID which has a data relation 1:1 with Bar. I create my Complaint object which is fine, but I wanted to test the permission error when I then try to add a relation (using addrelation) to the bar object, but the relation is created fine? Assumed if I had it unticked the relation wouldn’t be made.

Image shows the BarComplaints matrix.

Hi @Reece_Smith.

I just checked it myself using REST and an error is returned when trying to add /set relations:

"code": 1038,
"message": "User has no permission to add relation for the current table.",

Could you provide us with your APP-ID?
And also indicate which SDK you use when adding relation. Also, we would be grateful if you would share code snippet with us.
All this will help us sort out your problem as quickly as possible.

Regards,
Inna

Hi Inna,

App ID: XXX
I’ve tested it on server code and on the ios SDK code (not using custom logic just normal backendless api). Getting the same issue.
Example server code:

String UserID = InvocationContext.getUserId();
String Bar_ID = "";
newComplaint.save();

                    HashMap<String, Object> userObject = new HashMap<String, Object>();
                    userObject.put( "objectId", UserID );
                    ArrayList<Map> userCollection = new ArrayList<Map>();
                    userCollection.add( userObject );

                    HashMap<String, Object> barObject = new HashMap<String, Object>();
                    barObject.put( "objectId", Bar_ID );
                    ArrayList<Map> barCollection = new ArrayList<Map>();
                    barCollection.add( barObject );

                    Backendless.Data.of(BarComplaints.class).addRelation(newComplaint, "UserID", userCollection);
                    Backendless.Data.of(BarComplaints.class).addRelation(newComplaint, "BarID", barCollection);

I’ve pushed the code so you can see the issue:
https://develop.backendless.com/Tipple/bl/services/TippleAPI/addBarComplaint

Post Request:
{
“newComplaint”: {
“complaint”: “Test complaint”
},
“Bar_ID”: “XXX”
}

You’ll need to login via the headers, I’ve created a temp user
U:gary@gary.com
P: XXX

Hello @Reece_Smith,
I’ll check it as soon as possible.

Regards,
Olha

The provided user has permissions to add/set relations. Please disable this permission and check.

Regards,
Olha

Hi Olha,

The matrix you have pasted above is from the Bar table and not the BarComplaints table.

However to humour it I disabled add/set relation on the Bar table too and it still works.

I logged in as gary@gary.com, invoked the addBarComplaint method with provided parameters and received the expected error. I didn’t make any changes.

Someone has changed something as its suddenly showing me that error too… I tested it this morning and it was still showing the error, no changes my end since.

Does it work properly now?

Yup looks good. Thanks to whoever fixed it.

1 Like

Looks like the issue is happening again, nothing changed from earlier, I can once again add relations without any permissions set…
App ID: REMOVED



For tracking purposes, the internal ticket is BKNDLSS-21919

Hello @Reece_Smith

I try to reproduce:

  1. Create new app
  2. deny add/set relation globally
  3. deny add/set relation for all roles for the parent table
  4. Create a user account
  5. Make sure the user account inherits the denied permission for add/set
  6. create Java API service which saves an object and creates a relation with an existing child object
  7. invoke the service with a logged in user from (3)
    Result: permission denied

I try to reproduce with your gary@gary.com:

1 Test:
Delete relation BarID from BarComplaints with objectId = 1CD9-------------------8500
Invoke

{
    "newComplaint": {
        "complaint": "Test complaint",
        "objectId": "1CD-----------------------------------00"
    },
    "Bar_ID": "15E-----------------------------00"
}

RESPONSE:

200 - OK
Body:
false

Not error and relation was not added


2 Test:
Invoke

{
    "newComplaint": {
        "complaint": "Test complaint 2"
    },
    "Bar_ID": "15E---------------------------00"
}

RESPONSE:

200 - OK
Body:
false

Not error, BarComplaints was not created and relation was not added

Based on two tests with your user (gary@gary.com) and your method (addBarComplaint), I can make the assumption that this method does not add relation (does not call the method of addRelation), and therefore can not throw an exception to this.

Does your method addBarComplaint contains method addRelation?

Apologies I had changed the code when I was testing transactions with Mark.

If you try again using the addBarComplaint method:
{
“newComplaint”: {
“complaint”: “Test Comp”
},
“Bar_ID”: “15EB978F-B357-03C8-FF66-EC06EA19F400”
}

You can see the object is created and relationships added. @mark-piller was able to replicate this end and confirmed its a bug.

@Reece_Smith the error has already been fixed.

Regards, Nikita.

It’s not fixed? I can still add relations without permission

@Reece_Smith now I’ll recheck, the ticket has the status “Resolved”.

Regards, Nikita

@Reece_Smith, I reopened the ticket BKNDLSS-21919, we will try to solve the problem as soon as possible!

Regards, Nikita

Hello @Reece_Smith

We figured out why it happens you get such a result. The thing is that the users who added the relation to the object were the owners of this object. In order to prevent this from happening, you need to configure Owner Policy for the table https://monosnap.com/direct/4dzisY11ItrgF4FchCxGQbKr7XBpnp
Please try changing the permission settings and write to us about the result.

Regards,
Inna