"User has no permission to update entity" when saving object in afterCreate handler

I have a table with registration codes and whenever I create a new one, I want to invalidate any existing codes that were issued for the same person but were not used for some reason.

However, when I try to call Backendless.Persistence.of(‘DriverRegistrationCode’) inside of afterCreate handler for DriverRegistrationCode table, I get the following error:
“code”: 1012,
“message”: “User has no permission to update entity”

Hi Kateryna,

Do you perform the request to “create” on behalf of the authenticated user? The permissions in event handlers are inherited from the user which performs the request by default, or from NotAuthenticatedUser if there was no authentication.

You can also log the roles with the following code to better locate the problem:

List<String> userRoles = Backendless.UserService.getUserRoles();

Then you’ll be able to compare the roles with your application’s data permissions.

Hope it helps!

I am calling POST from Backendless REST Console with a logged in user.
However, when I get roles in the event handler, I get:
User { ‘0’: ‘ServerCodeUser’, ‘1’: ‘NotAuthenticatedUser’ }

Anyway, ServerCodeUser has all permissions for the table

It started working after I logged out and in again with the user

I just clarified with the team, that the proper way to get the role is to retrieve them from context: context.getUserRoles(). Sorry for the confusion.

Since the problem is resolved now, I shall close this topic. Please feel free to reopen the topic in case you run into the same problem again.

This code throws: “TypeError: req.context.getUserRoles is not a function”
The correct way to get roles is to get the following array: req.context.userRoles

Yes, you’re right. We didn’t notice that you use JS. The syntax Sergey has provided is for Java coderunner.

In order to prevent the issue you’ve faced with, I can offer you the following: allow access for “DriverRegistrationCode” table for ServerCodeUser, AuthenticatedUser and NotAuthenticatedUser roles, and deny access for all other roles. This way all requests from servercode would pass, but requests from all other clients would be rejected.