How to Manage a Data Object’s ACL Using API
In another post, we described how to adjust an object’s access control list (ACL) using Backendless Console. As we mentioned, in addition to Backendless Console, the object’s permissions can be controlled using API.
In fact, for any persistent object, Backendless supports the following capabilities:
Granting/rejecting permission to execute a find/save/update/delete operation on an object based on:
- the specific user,
- the specific user’s role,
- all users,
- all roles.
The general API usage pattern is:
DataPermission.<OPERATON>.grantForUser( userObjectId, dataObject ) DataPermission.<OPERATON>.denyForAllRoles( dataObject )
Backendless.Data.Permissions.<OPERATION>.grantForUser(userObjectId, dataObject) Backendless.Data.Permissions.<OPERATION>.denyForAllRoles(dataObject)
Where <OPERATION> can be FIND, UPDATE, or REMOVE. There are many more methods available for the <OPERATION> class supporting all the combinations listed above.
The sample below grants permission to a user to execute FIND operations; additionally, it denies all roles to run searches. As a result, the ability to run a search for the specific object will be exclusive for the specified user.
final AsyncCallback<Incident> grantForUserResponder = new AsyncCallback<Incident>() {
@Override
public void handleResponse(Incident aVoid) {
Log.i(TAG, "Permission has been granted to user");
}
@Override
public void handleFault(BackendlessFault fault) {
Log.e(TAG, "Server reported an error - " + fault.getMessage());
}
};
final AsyncCallback<Incident> denyForAllRolesResponder = new AsyncCallback<Incident>() {
@Override
public void handleResponse(Incident aVoid) {
Log.i(TAG, "Permission has been denied for all roles");
}
@Override
public void handleFault(BackendlessFault fault) {
Log.e(TAG, "Server reported an error - " + fault.getMessage());
}
};
DataQueryBuilder query = DataQueryBuilder.create();
query.setWhereClause("email = 'spidey@backendless.com'");
Backendless.Data.of(BackendlessUser.class).find(query, new AsyncCallback<List<BackendlessUser>>() {
@Override
public void handleResponse(List<BackendlessUser> users) {
final BackendlessUser user = users.get(0);
Backendless.Data.of(Incident.class).findFirst(new AsyncCallback<Incident>() {
@Override
public void handleResponse(Incident incident) {
DataPermission.FIND.grantForUser(user.getObjectId(), incident, grantForUserResponder);
DataPermission.FIND.denyForAllRoles(incident, denyForAllRolesResponder);
}
@Override
public void handleFault(BackendlessFault fault) {
Log.e(TAG, "Server reported an error - " + fault.getMessage());
}
});
}
@Override
public void handleFault(BackendlessFault fault) {
Log.e(TAG, "Server reported an error - " + fault.getMessage());
}
});
Backendless.initApp(APP_ID, API_KEY)
async function setupPermissions() {
const userQuery = Backendless.DataQueryBuilder.create().setWhereClause("email = 'spidey@backendless.com'")
const user = await Backendless.Data.of(Backendless.User).findFirst(userQuery)
const incident = await Backendless.Data.of('Incident').findFirst()
await Backendless.Data.Permissions.FIND.grantForUser(user.objectId, incident)
await Backendless.Data.Permissions.FIND.denyForAllRoles(incident)
}
Promise.resolve()
.then(setupPermissions)
.then(console.log)
.catch(console.error)
Once the code runs, the ACL permission matrix for the object will look as shown below:
User permissions:
Role permissions:
