Permission settings cause users to share data

My users upload images that should be only view-able and handled by them self.

Let me describe what’s happening; I created my first user, uploaded an image successfully with this method:

Backendless.Files.Android.upload(image1_scaled, Bitmap.CompressFormat.PNG, 100, identifier+"image1"+profile, "images", new AsyncCallback<BackendlessFile>() {
   @Override
   public void handleResponse(BackendlessFile response) {
    
         fileMapping.url_1 = response.getFileURL();


      Backendless.Data.of(UserFileMapping.class).save(fileMapping, new AsyncCallback<UserFileMapping>() {
         @Override
         public void handleResponse(UserFileMapping response) {
            toast_error("Image stored");
         }

         @Override
         public void handleFault(BackendlessFault fault) {
            System.out.println("ERROR" + fault.getCode());
         }
      });
   }

   @Override
   public void handleFault(BackendlessFault fault) {
   }
});

I then created a second user and logged in on that account, and the same image I uploaded from the first account shows up after iterating through the FileMapping table and downloading the image from the url it returns. So obviously I’ve managed the table’s permissions wrongly. I simply want that every image the currently logged in user uploads, can only he retrieve, edit and delete.

http://support.backendless.com/public/attachments/c3d770f47296ead68565290df0b25cb3.png</img>

http://support.backendless.com/public/attachments/76e01898b94da55310ee4fac5337661c.png</img>

c3d770f47296ead68565290df0b25cb3.png1740×494 41 KB

76e01898b94da55310ee4fac5337661c.png1749×353 16.6 KB

Did you watch a recording of the “Backendless Security” webinar? I described and demonstrated the concept of “owner policy” in there (this is what you will need to apply here). All our webinars are at https://backendless.com/webinars

That cleared up most of it. But I still can’t handle the FileMapping data table correctly. If I for say, upload a few images from a user account, their URL’s are stored in the same FileMapping object (Row). But if I restart the application and upload another image, it’s URL is stored in a new FileMapping object/row, with the same owner ID though. But I would guess that it’s preferable to have all URL’s stored under the same row for the user? If so, is it up to how I’m saving the FileMapping url? I haven’t really got to understand the difference betwenn “Backendless.Data.of(something.class).save()” and “Backendless.Persistence.of(something.class).save()”.

There is no difference between:

Backendless.Data.of(something.class).save()
and
Backendless.Persistence.of(something.class).save()

Backendless.Data and Backendless.Persistence point to the same object and do the same thing.

Sorry, but I could not understand the issue you were describing.