Users can have Addresses, and Addresses can have AddressAttributes.
I have an API to update an AddressAttribute. I want to limit access to the API for obvious reasons. I have three unique needs to update an AddressAttribute:
The user with the AddressAttribute
A customer service person updating the attribute for the user
A system process updating attributes
I’m looking for suggestions on how to lock down access to the updateAddressAttribute API for these three use cases.
In the popup that opens up, click the ROLES PERMISSIONS tab and assign the permissions to invoke your service method(s) to the corresponding role.
If you do not have specific roles for the users in your app, then it would have to be in the service logic to check if the user can or cannot invoke the method.
Oh, that is nice. Thanks, @mark-piller. That works perfectly to lock down an API for our customer service team and to limit outside access.
Follow-up question.
For the standard User, I also want to lock the API down so a user can’t update other User’s AddressAttribues. Because an AddressAttribute row could have been added by a customer service person, or a server process, I cannot guarantee the ownerId is the same as the logged in User. Is that a mistake, and the ownerId should always be set to the User.objectId that it relates to, regardless of how the row is added?
Or should I join all the way back to the User table every time to verify ownership?
The ownerId column is used only when you apply the Owner Policy rules for data retrieval/update. If you haven’t done anything to configure owner policy, it doesn’t matter what value the ownerId column has.
