In the hopes this is succinct, can the following be accomplished with Backendless default User and/or Role Permissions, or how would we need to change them?
We find that REST API queries to a Data Service table that include a user-token header item for an Authenticated User return all records that match the “where” clause, even those not owned by the user associated with the user-token at login. The query has the form:
curl -i -k
-H “application-id:”
-H “secret-key:<REST Secret Key>”
-H “application-type:REST”
-H “user-token:<user-token>”
-X GET “https://api.backendless.com/v1/data/<table>?where=status%3D1&pageSize=10&offset=0”
If it is straightforward to do so, we’d like “regular” users to only receive objects owned by them in response to REST API queries that include their user-token in the header. We’d like the default behavior described above to only apply for a group of “administrative” users when a user-token for one of them is supplied in the REST API query.
Is this possible and, if so, is it a matter of either:
- Including something else in the REST API query (e.g. “where” clause) itself?
- Adjusting the permissions of the Authorized User role?
- Creating new roles for “regular” and/or “administrative” users?
- Or ???
Thanks.