Applications use the Backendless API to access data, run searches, store, update and delete objects in the database. When a user authenticates himself with the backend, all subsequent API calls are executed on the behalf of the logged in user. However, if an API call is made without an authenticated user in the session, it is associated with an anonymous user. As a result, in an application that does not restrict data access, the data is exposed to everyone.
Restricting access for anonymous (non-authenticated) users is a very straight-forward process. Application developer has multiple options ranging from denying access globally for all API calls to restriction at the data table-level or even at the specific object level. In this article I review the process for restricting access globally.
When an application makes an API call by a “guest” user, meaning a user who has not logged in, Backendless associates the user in that session with the NotAuthenticatedUser role. It is a built-in or system role and every Backendless application automatically includes it. You can see that role in the Applications Roles section located in the Users > Security & Restrictions screen of Backendless console.
When you click the NotAuthenticatedUser role, the console displays global security role matrix. To disable access for all operations for the non-authenticated users, click every green checkmark until the screen looks as shown below:
As a result of the changes described above, all API operations made by anonymous users will be rejected by Backendless. It is that easy.