How to check a user's permissions on an external database?


#1

Sorry if that’s a bit on an unspecific title and maybe a stupid question, but here we go:

I’m using DreamFactory to manage my users, their permissions and their access on the database. The user’s respective data (e.g. what the users stores in my app) will be stored in mySQL. We’re talking about a hybrid app, both web-based and mobile (PhoneGap), i.e. I need to use a wildcard-CORS.

But here’s the deal: If the user’s group has the “DELETE”-permission, anyone who reads the session-ID from the browser’s cache will be able to access the API via Postman (or any manual API-calls for that matter) and delete not only his/her data but also everyone else’s.

So: Is there any way to check if the requesting user’s ID matches the record’s ID?

Thanks.


#2

If I’m not mistaken, this use case is very close to what @jvc has accomplished for his app using server-side scripting. @jvc, do you have any advice for @BeerBeer?


#3

The easiest way to accomplish this is by setting up a server side filter on the role using an OwnerId field. This prevents anyone from accessing records they are not the owner of. See wiki for an example.

https://github.com/dreamfactorysoftware/dsp-core/wiki/Server-Side-Filters


#4

what Todd said - this allows only the creator of a record to see that record…


#5

Thanks a lot, I’ll try that!