Message:

Subscribe rss
Blog categories
All | Backendless features
Feature 60: Loading data objects which belong to the logged in user (Owner Policy)
March 8, 2015 by markpiller
Spread the love

A user on StackOverflow asked how to load only the data which belongs to the currently logged in user. Although if you read the question it may sound like something else, this is how I understood it. This is indeed an interesting and very common use-case. Backendless (IMHO) handles it beautifully and this feature certainly deserves a place in this feature-a-day series.

What you need to know before we get to the coding sample part is:

Loading data objects which belong to a user does not require any specialized APIs. In fact exactly the same Backendless API you’d use to load objects from the server should be used. The trick is in setting up the security policy to restrict users from accessing data objects and letting Backendless to fall back to what we call the Owner Policy.

Consider the example below. The code logs in a user and adds a few data objects:

Asynchronous sample (Android and Plain Java):

Synchronous sample (Plain Java only):

Synchronous sample:

Asynchronous sample:

Synchronous sample:

Asynchronous sample:

The Order class which the code above uses you can find below.

The class uses public fields, but could also be turned into a Java Bean with getter and setter methods – Backendless supports either one of the approaches:

If you didn’t have the Order table in your app and once you run the code, you will not have any other Order objects in the table. As a result, to see the effect of loading the objects which belong to the user, it would help to add an additional object belonging to someone else (or no one). Take a look at the Order table in Backendless console – you will see it contains the ownerId column. That column is automatically added to every table in Backendless. If it contains a value, it will be objectId of the user who created (saved) the object. Add a new row to the Order table using Backendless console and make sure the ownerId column remains empty. Your Order table should look like in the screenshot below (the “fish and chips” order was added manually):

orders with owner - Feature 60: Loading data objects which belong to the logged in user (Owner Policy)

The code to load objects from the Order table is below. Make sure the user is logged in before running the code:

Asynchronous sample (Android and Plain Java):

Synchronous sample (Plain Java only):

If you run the code before making any changes in the security policy, it will produce the following output:

Synchronous sample

Asynchronous sample

Synchronous sample

Asynchronous sample

As you can see, this is not the desired output – the code loads all objects from the table. To make the change so the client app gets only the objects which belong to the user, follow the steps below:

  1. Locate the table for which you would like to make the restriction in the Data screen of Backendless console. In this case it will be the Order table. Click the Table Schema and Permissions button in the upper right corner.
    owner policy step1 - Feature 60: Loading data objects which belong to the logged in user (Owner Policy)
  2. Click the Roles Permissions menu.
  3. Locate the AuthenticatedUser role and click the cell at the intersection of that role and the Find column until you see the icon for denying the operation (red X):
    owner policy step2 - Feature 60: Loading data objects which belong to the logged in user (Owner Policy)
  4. Once the change is made, re-run the same code for fetching the data from the table. You will see that the code now returns only the objects which belong to the currently logged in user.
Share this post
Tweet about this on TwitterShare on FacebookGoogle+