Permissions from Hosted service are broken

I have a hosted service. I have a method that returns the roles that the calling user is a member of, which returns this “roles:_SuperAdmin,AuthenticatedUser”, so I know that these are the only 2 roles that I am in.

However calling a method that try to create an object results in “message”: “com.backendless.exceptions.BackendlessException: User has no permission to create entityServiceException”

when I explicitly only allow those 2 roles to create in that table(as below). Can you explain why this fails, because that does not seem right.
http://support.backendless.com/public/attachments/744749e740a2c67860cdd4d215d07360.png</img>

Could you clarify where you call the method that creates the object? Is it invoked from the hosted service?

The create is being invoked from directly in the hosted service method being called. I am calling the hosted service from the API inspector in the back endless console.

Since you denied access to the ServerCodeUser role, the requests which originate from hosted service will be denied (if you use the Server Code secret key).

What does hosted code run as by default?

I seem to have to allow unauthenticated user to enable the hosted code to create. Does that mean it is not running in the context of server code? If I allow unauthenticated user then anyone can create right?

I am finding this really confusing for some reason. Is there something that I have to do to make the code run as serverCode?

Be default it runs as NonAuthenticatedUser and uses the Server Side secret key, which means the ServerCodeUser role will be assigned to the invocations received with that key. If that role is denied access, requests will not go through.

The rule is ultra simple: if there is at least one REJECT, invocations will not be allowed. If you allow unauthenticated users , but deny for IOSUser, AndroidUser, etc, then invocations using those keys will not be able to process requests.

ok, so I have to allow unauthenticated user and then just deny access from all keys other than serverCode and it will work just for server code then. And I then have to do all the role checking against the tables I want to create into myself in the hosted code rather than using the role definitions on the tables.

I guess what I was hoping for was to set access permissions on the tables and then get the server code to work as the calling user so that I did not have to implement all the checking myself.

I do not understand the following statement:

And I then have to do all the role checking against the tables I want to create into myself in the hosted code rather than using the role definitions on the tables.

Sorry was not a very clear statement… let me try again.

If I want to only allow someone in a custom role to create entities in a table, I have to set the table to allow create for unauthenticated and serverCode roles, then in the serverCode I have to check the calling admin roles and refuse the update if its not in the custom role. I cannot rely on backendless for this by using tables permissions.

If I want to only allow someone in a custom role to create entities in a table, I have to set the table to allow create for unauthenticated and serverCode roles

When someone belongs to a role, it means that user is already authenticated. A non-authenticated user cannot belong to a custom role. The only two roles it belongs to are the NonauthenticatedUser role and the one corresponding to the secret key they use.

Sorry… let me try again…

The original caller of the API is an authenticated user in the custom role.
They make the call, but since all operations carried out in the API method are with the unauthenticated user in the serverCode role, the original users role cannot be used to determine if they can create an object unless in the serverCode I enumerate all the roles they are in and perform that validation myself.

It would be really nice if the originating users roles could be applied to the data manipulation being carried out by the serverCode.

Sorry, this is really difficult to explain…

I get it now. I am curious how you perform the validation? I refer to this part:

“…unless in the serverCode I enumerate all the roles they are in and perform that validation myself.”

It sounds like what you’re asking is whether it would be possible to impersonate the original caller in the API calls made by the hosted service.

So on the API call I use this

com.backendless.servercode.InvocationContext.getUserRoles();

to enumerate the roles of the originating caller then check to see if thats a role that I want to enable to make the operation.

What I want to do is impersonate the caller yes :slight_smile: