Security for update in server code vs API.

Is there a way to specify that a data object cannot be updated by a non-owner via the api, but that server code can update that object even if triggered by a non-owner? Basically I want to protect an object from the /update call but still allow custom server code to modify that object.

You could create a special user account which would be used by server-code. Then you’d modify object’s ACL and grant a permission for update for that user account. Before the server code does an update request, it needs to login as that special user. Would that work for you?

Hi Mark,

If I understand the request, what the OP wants is a way to override the ACLs for server code.
There is something similar in Parse where you can explicitly indicate in the code that you want to have superuser permissions.

I have a very similar request: I want to have a read only table from the point of view of the API but I still want my server code to write to that table. There are many scenarios for that:

  • update counters in triggers
  • update rankings
  • write data to a different table based on a create trigger…
    I haven’t found a way to do it.

I still do not understand what’s wrong with the approach I proposed:

Creating a special role (or a user) that has explicit capability to work with the object (or entire table) and use that user’s identity to manipulate the objects from that table?