Hello again,
I have an API Service which creates a file in a folder, the users should only be able to write to the folder by the api call, not via upload, rest or other functions. So i restricted the access to this folder and only the ServerCodeUser has the permissions.
File creation fails with 400 - User has no permissions for specified resource (4000)
.
Is it possible to run specific parts of the code “as other/admin user” ?
I have different ideas how to achive this but i would like to get a second opinion, regarding security concerns and practicability.
-
Create and admin user. save token of orginal user, log in admin user, create file, set permissions to file login orginal user, set user token to saved token .
-
Outsource the create-part as another service and call this service via the ServerCodeAPI-Key url
-
Give user permission to create files in this folder and somehow block all other uploads/creations with an handler
I personally think that option 2 has the least side effects.
Best,
Jan
Hi.
About the third point: yes, you can archive this with the two event handlers – saveFileFromByteArray
(you name it ‘create’, right?) and beforeUpload
; there you may perform some checks and either allow or block the call.
It is also possible to block any calls except from the business logic code (ServerCodeUser
).
This user has the higher privileges in comparison to other users. It’s totally legal to create the file in your server code (with ServerCodeUser
) and assign the user/role permission on it.
I would say – it is quite workable approach.
So i restricted the access to this folder and only the ServerCodeUser has the permissions.
File creation fails with 400 - User has no permissions for specified resource (4000)
.
Do you receive such an error for the ServerCodeUser
? Maybe some mess in rights? Do you perform login/logout in your business logic code?
The error was for the normal rest call.
I ended up doing some role checks and calling the api method recursive, so the ServerCodeUser
role is added. I still had to set the permissions for the ServerCodeUser
explicit as folder permission.
Unwanted side effect: I have to modify the result url, because it would leak the ServerCodeUser-API key .