Securing Table Based on Variable Inside That Table

I’m sure there is some simple solution to this, but for whatever reason I cannot seem to find it. Is there a way to lockdown the database based off of dynamic data within that database?

I am storing sensitive files on backendless but the front end is bubble. The database has a file table to store the files and there is a relation field (linked to Users) to specify who that file is sent to. There are 2 extra user roles. Role 1(doctor) can retrieve all files but role 2(patient) should only be able to retrieve files that they are linked to. Both roles still need to be able to create files though. I want to lock down any calls to the file table so that any verified patient can only retrieve files that are related to them.

I thought of doing this with a view but that doesn’t work with variables as far as I can tell. I also looked into cloud code but if I use it then I need to leave the permissions open to patients on the files table. The last possible solution I thought of, is using the ownerId field but I can’t seem to change that field.

I can use WHERE clauses in my GET statements to get the data I need exactly. However a bad actor who has signed up as a patient on my site can see this particular call along with their valid user-token and use these to get all the medical files.

Sorry for the long post and thanks in advance

Hi Jeremy,

This can be possible if you create and use the security roles in Backendless. Roles should be assigned to the corresponding users. Is this how you already configured it?

Regards,
Mark

Hi Mark,

Yes, I already configured the app to have 2 extra security roles one for doctors and one for patients. I also assigned those roles to users. However, I am having trouble understanding how this would be able to keep one patient user from seeing all patient users medical files if the initial patient user was technically savvy.

Unless I am wrong about something, if I was a hacker looking for this data, I could sign up as a patient on the website. Then I would be able to see my user-token along with the GET call (to the files table) and hop in postman to make a call to the same table returning all items. If I could make the call server side so my users never see it then this wouldn’t be a problem, unfortunately it has to be client side in this case.

Thanks,
Jeremy

Hi Jeremy,

There are two options to solving this:

Option 1 - Owner Policy
IF (and only IF) the records in question are created by the patients themselves (i.e. using an API call that has a user-token of the patient user), then you can apply the owner policy where patients can retrieve only the records they “own”. Doctors would have role-based permission that allows them to get all the data. Here’s a how-to article that describes how to configure Owner Policy.

Option 2 - user-based ACL
As an alternative to Option 2, you can restrict access to specific objects in the database to a specific user by assigning permission for that user to access the object using the following API:
Permissions API - Backendless REST API Documentation

By default, no one should have access to the objects in the table, unless there is permission assigned with the API call referenced above.

Hope this helps.

Regards,
Mark