(failed) binding users to just a given application


#1

Hello,
I created a new app and with “Assign this App to a Role” I added a role to it.
The role I used has just one app in its Apps/AppsOverview tab.
I created a user and I added it to another role.
Unexpectedly, I was able to login to my app using this new user.
What am I missing?
Thanks.


#2

Application name is just an API key. As long as a valid API key is provided, a valid user will be allowed to login. Since an app is just a key, it’s not fully evaluated until the client tries to make an actual call, not just login.

For example, I have a user with role “test” (which can only access a service called “smtp”) and the role only has the app name “demo” selected. I login but provide a different app name, “admin”:

$ curl -i -3 -k dsp/rest/user/session -H "X-DreamFactory-Application-Name: admin" -d '{"email":"user@domain.com", "password":"password"}'

I get back a 200 with a session_id value. Now I try to call the “smtp” service, which I know the user’s role may access:

$ curl -i -3 -k dsp/rest/smtp -H "X-DreamFactory-Application-Name: admin" -H "X-DreamFactory-Session-Token: hansmqnhellvor1ssaacr6r2a4"

I receive a 403 (Forbidden) because the now-logged-in user may not access application “admin.” Role-to-application access is evaluated prior to role-to-service access.

{"error":[{"context":null,"message":"Access to application 'admin' is not provisioned for this user's role.","code":403}]}

However if I supply the app name “demo,” which this user’s role has selected,

$ curl -i -3 -k dsp/rest/smtp -H "X-DreamFactory-Application-Name: demo" -H "X-DreamFactory-Session-Token: hansmqnhellvor1ssaacr6r2a4"

I receive a 200 with the service’s response.

However if I try to call a different service that the user’s role does not have selected, e.g., the db service,

$ curl -i -3 -k dsp/rest/db -H "X-DreamFactory-Application-Name: demo" -H "X-DreamFactory-Session-Token: hansmqnhellvor1ssaacr6r2a4"

The user’s role prevents it with another 403:

{"error":[{"context":null,"message":"GET access to service 'db' is not allowed by this user's role.","code":403}]}

Even though the application name the user originally supplied at login (“admin”) would have access to /rest/db. So the restrictions work, just not in the way you expected.


#3

A manual quality answer, thank you. I’m sure it would help others as well. I started to suspect what you described a bit late. Thanks again.