What user context ServerCode run?

I created a custom event that checks login information on a external host and register or update the user if already exists.
But when I try to update, find or create a user with Android Secret key it works. Then any unauthenticated user with a secret key can perform any user operation, like change password. Theoretically permissions are compared with AND, then with permissions showed in image below AndroidUser cannot do any operations on this table and ServerCodeUser can.
Removing NotAuthenticatedUser permission on table nothing works.
Permission configuration on user table:
I believe that this is a security hole.

Hi Julio

You should specify Code Runner Secret Key in your CodeRunner config to make all requests made from your server code to be executed under ServerCodeUser permissions

Hi Vitaly, thanks for your response

Are you talking about runner.properties file? If yes, the application.secretKey property already is set with Server Code Secret Key.

What is the end goal here? I am confused about what you’re trying to accomplish and what the problem is.


Sorry Mark.

I’m simply trying to update a user in a custom ServerCode event.
But removing update permission for NoAuthenticatedUser, ServerCode can not update anymore.
On image above I added permission to NoAuthenticatedUser and AndroidUser too can do find, update and create operations even without permission to do that.

The code:

public Map handleEvent(RunnerContext context, Map eventArgs) {
 if (externalCheckOk) {
return myMap;
private void backendLessUserHandler(String login, String password) {
 BackendlessDataQuery query = new BackendlessDataQuery(String.format("name = '%s'", login));
 BackendlessCollection&lt;BackendlessUser&gt; resultUser = Backendless.Data.of(BackendlessUser.class).find(query);
 if (resultUser.getTotalObjects() > 0) {//update
 BackendlessUser backendlessUser = resultUser.getCurrentPage().get(0);
 } else {//create
 BackendlessUser user = new BackendlessUser();
 user.setProperty("name", login);

That is correct, because server code does not have a logged in user in the context. If you want to restrict access so that non-authenticated users are not allowed to make calls, then you should do the following:

  1. create a special user account in the Users table
  2. in your custom server code, use the Backendless.UserService.login to login the user from (1)

then do the rest of the logic. This way the calls made by server code will arrive as from an AuthenticatedUser.


Thanks Mark, I will try this.

I applied your suggestion and now works as I expected.
Thank you for the great support and for this amazing tool that Backendless is.