Record level access control for roles

Chakr · September 21, 2015, 9:53am

Hi

I am using dreamfactory on bluemix and cloudant database as a service in dreamfactory.
I want to setup several roles for my app and give different access controls to different roles. So I’ve been trying to setup record level access control in dreamfactory.

I gave access to a users database to a particular role, and I also allowed only a couple of methods (GET and PATCH). It’s working fine but when I try to add advanced filters, I’m not able to see any difference.

For example every user in the users database must have a property called “org_email”, and only the user whose email on dreamfactory equals “org_email” field in the users database in cloudant should have access to that particular record. So when I log in as a user with that role, and make a GET request to that database, I still see every record in that database.

This is what I did. Please do let me know if there’s anything wrong with it.

Regards,
Chakradhar

formerstaff · September 21, 2015, 7:27pm

Hi Chakr.
I was able to replicate this issue and I think it might be a bug. Checking with our Engineering team.

I also went ahead and tested this in DreamFactory 2.0 and confirmed that it works as expected.

formerstaff · September 22, 2015, 7:09pm

I followed up with Engineering today. This issue is a bug and is resolved in DF 2.0

Topic		Replies	Views
How to implement data access based on a table with user's permissions Authentication & Security	1	5124	October 23, 2014
Record-level security: advanced filters and non-GET requests REST API	2	3606	October 21, 2015
User Authentication And Authorization for the User Capabilities Users & Roles	1	2218	June 9, 2014
Strategy user security on Db record level based on permison defined in db table Authentication & Security	0	2306	September 20, 2016
Setting up roles	0	1415	June 29, 2017

Record level access control for roles

Related Topics