Hello, if I have a table called “Company” then a table called “CompanyUsers” linking multiple Users to a company. Now, I would like any Users associated with the “Company” via “CompanyUsers” to be able to read/edit the Company record. How do I achieve this?
Hi Bob,
The Load Object Relations Codeless block provides a way to retrieve related objects for a specific parent object:
https://backendless.com/docs/js/data_two_step_retrieval.html#codeless-reference
Btw, if the relationship between a company and its users is one-to-many, the additional table that creates the mapping between the entities may be overkill. A simpler solution would be to create the companyUsers relation column (with the one-to-many cardinality) in the Company table pointing to the Users table.
Regards,
Mark
Oh yes, the one-to-many relation column is indeed a much better approach. Thank you.
But I am still running into problem that the users do not seem to have access to read/write the related Company. Does it matter that Users point to Company or Company points Users in terms to ensure the correct permission?
To reiterate, my goal is to ensure that all Users related to a Company is able to edit the Company information stored on the Company table.
The direction of the relationship has no bearing on what users can or cannot read/write. That part is controlled by the security permissions you configure in Backendless.
I see. Then I am still unclear on how to setup security permission that allows multiple users to read the same company entity. Is it purely via manually defined ACL for the company entity to ensure the related person can read/write to it? Since the company’s ownerId can only be a single person. I have been reading up as much as I can, but I am afraid I am still a little lost.
If you have not made any changes to the permissions, the default settings do not restrict it. Have you made any changes there? What errors do you get?
This is what I’ve done for both the Company and User table. The HPS role is basically the admin role reserved for internal staff. This setup seems to work for any items created by the user, but does not work in the relations setup as discussed above.
I am completely new to permissions so do suggest a better way if there is. I have already setup the same thing three times, a fourth will be a good price to pay for learning! 
Does your app communicate with the database directly or through custom API services?
Currently with the database directly using the data API in the UI builder. I have yet to play with custom API, but open to that option also, although initial attempt seems to have yielded the same results.
Create a custom role that you would assign to the non-admin users and grant permission to read/write data to that role.
Ok, I can do that, but wouldn’t this then allow all users to edit all companies? I only want users (each company can have multiple users) to be able to edit the companies (each user can belong to multiple companies also) they are related to.
In that case you would need to implement company editing in an API service where you would also check if the user who made the call belongs to the company.
Ok, so if I add a “Cloud code”, this would automatically run under the permission “ServerCodeUser”?
Yes
I’ll give that a go. My initial attempt failed, but will try again to see what I might have missed. Thank you again for being patient and super helpful as always.
1 Like
Hi Mark, I have just found this article, and I think it highlights the problem I am facing also with the Cloud Code.
So basically I have a logged in end-user, calling a Cloud Code, so the lowest permission level still applies.
The article then talks about hacking it to strip out user-token before executing the code, now I’m using Codeless for both the Frontend and Cloud Code, is there a way to do this?
Oh, I have just answered my own question… I can simply set the Current User Token to empty before executing the code.