Is there a way to specify that a data object cannot be updated by a non-owner via the api, but that server code can update that object even if triggered by a non-owner? Basically I want to protect an object from the /update call but still allow custom server code to modify that object.
You could create a special user account which would be used by server-code. Then you’d modify object’s ACL and grant a permission for update for that user account. Before the server code does an update request, it needs to login as that special user. Would that work for you?
If I understand the request, what the OP wants is a way to override the ACLs for server code.
There is something similar in Parse where you can explicitly indicate in the code that you want to have superuser permissions.
I have a very similar request: I want to have a read only table from the point of view of the API but I still want my server code to write to that table. There are many scenarios for that:
- update counters in triggers
- update rankings
- write data to a different table based on a create trigger…
I haven’t found a way to do it.
I still do not understand what’s wrong with the approach I proposed:
Creating a special role (or a user) that has explicit capability to work with the object (or entire table) and use that user’s identity to manipulate the objects from that table?