Record-level security: advanced filters and non-GET requests


#1

I want to implement record-level security with DreamFactory and a MySQL database service. I have a table on which I want to allow full access (GET, POST, …) to users but only on their own set of records. So I added a column owner_id to the database table and an advanced filter owner_id = {user.id}. The service is located on another MySQL database server. When I retrieve existing records (GET) everything works fine. My expectation was that when I do a POST to create a new record DreamFactory automatically adds the owner_id field with the user ID of the current user to the insert statement. But that does not seem to be the case. I’m getting an “owner_id cannot be NULL” error from MySQL. Is it possible to achieve this without server side scripting?

Thanks, Joerg


#2

There are several examples of this in the blog and forum, but it won’t work unless you create and populate your owner_id column. I can’t think of a way that DreamFactory would know to populate this field automatically.

This post by @benbusse is a great overview with links to other resources on the topic: How to implement data access based on a table with user’s permissions. Another post by Ben gives an example in AngularJS: How would I manage (in the DSP), every user has his/her own Todo-List?. There, he says,

In Ben’s AngularJS example, the app adds the logged-in user’s {user.id} to the POST, PUT, and DELETE calls so they can be filtered on by the server-side filter he has in place.


#3

From my understanding adding the logged-in user’s user id on client side when creating records is not really secure because anybody with a valid user session (and with open registration enabled anybody can have one) who knows my user id could then create records for me by using it as value for the owner_id field. I would be the only one who can read these records because of the server-side filter but it is still not desirable.
I need the backend API to add the owner_id automatically. DreamFactory knows my user id because I have a valid session and the server-side filter expression “owner_id = {user.id}” works for GET etc. Why shouldn’t it work for POST too?