User updates another user properties

Hi. In Users table I have created two users. User A is supposed to be like an admin, and can create and update other users. When i login with A and try to update user B (any property) using REST API, i get this message:

{“message”:“User can be updated only by himself or admin, if owner policy GRANT this operation”,“code”:3094}

I don´t understand exactly what do i have to change in app settings. I don´t have an admin role (only the default ones: authenticated, nonauthenticated …). In documentation i read a user has to include user-token in requests to edit his own properties, but doesn´t say anything about another user. Is it possible?

Your observation is correct: in the version currently deployed on our site:

    a user can change his own account (obviously must be logged in) a user can change other user account if he is the "owner" of those accounts and Owner Policy grants that privilege.
The second point should be clarified:

Suppose user A makes a call to register user B using the API. In this case, once the user is registered, you will see that user in the Users table in console. Take a look at the column ownerId for the user B, it should have objectId of user A, which means user A is the owner of the user object B. Once you are the owner, you can make changes to that object IF the owner policy allows you to do that. Btw, you can set ownerId directly in the console - make sure the column contains objectId of the user who becomes the owner.

What is Owner Policy?

Open console, select Users table and click “Table Schema and Permissions”. In the page that opens up, click “Owner Policy”.You will see three columns: Update, Find, Remove. Using that interface you can specify what owner can and cannot do with the objects they own.

In the new release we are working on, things will become a bit more flexible. We are adding a special permission which you can assign to users to allow them to modify other user accounts.

Hope this helps.

Mark

Hi Mark!

I have created B user with A user, but i see nothing in ownerId column. ¿Do i have to set a ownerId in the json request?

About owner policy, your new release will be compatible with the current one? I mean, if i use now the owner policy feature, will i have to change it for the new release?

Is the user A logged in when you send a request to register user B? Do you do it with a REST call or do you use a method from the client library?

Yes, user A is logged in. I am using PHP to make a REST call.

I have tested it again and the ownerId column is empty.

Does your code send “user-token” HTTP header when you make the call to register user B?

My mistake … I wasn´t including user-token when creating a user. I have tried again including it in the request and now ownerId has a value. I will try now owner policy.

One more question … ¿is it possible that two different users could modify a third user properties? Suppose A creates user B and B creates user C. Could user A modify user C?

is it possible that two different users could modify a third user properties? Suppose A creates user B and B creates user C. Could user A modify user C

No, in this case user A would not be the owner of user C, therefore he cannot change the account of C. This will be possible with the introduction of the new permission which would let you specify users (or roles) which have this super privilege.

Regarding the compatibility question of the new release with what we have now, it will remain compatible. You will not need to change owner policy, but you will get more flexibility.

Ok, i have it more clear now. Thanks Mark!

Hi, has this super account been created?

In my app users have to be able to become friends with other users and also break up this relationship. When A and B become friends A establishes a relationship to B and B establishes a relationship to A. If A or B decide to break this relationship they have to modify their own property and the property of the other user. How can I do that, having in mind that A is not the owner of B and vice versa?