How to use the Role Access properly?

REST API
1

Hi,

I have created a role “guests” and assigned it to my application. I have set a System Access configuration as shown below:

Capture.PNG1021×374 21.6 KB

What I’m trying to do is prevent the registration of a user from becoming an admin. Not sure if I’m doing it right as I am still able to POST successfully with the field:

is_sys_admin = true

Complete Payload

{
      "email": "user@domain.com",
      "first_name": "User",
      "last_name": "Name",
      "display_name": "User Name",
      "phone": "6785555555",
      "is_active": false,
      "is_sys_admin": true
 }

I read the documents here https://github.com/dreamfactorysoftware/dsp-core/wiki/Roles but couldn’t find much detail about this.

Appreciate any help.

Thanks,
Allen

2

All you need to do is set up a role ‘whatever’ and assign permissions to it (i.e. assign your app and services to that role). You also need to enable open registration in the Config tab and assign open registration users to the role ‘whatever’ you created.

3

Hi,

Yes I’ve already done that. I have a role ‘guests’. I assigned the following services as shown in the image above.

What I’m trying to do now is if in case a hacker figures out the format of the payload and the url, I want to prevent him from registering a user with an admin role. I’ve disabled the open registration and used the invitation method as suggested in this thread.

Right now I’m trying to prevent creation of the user by having a condition where the payload is_sys_admin is equal to false. Not sure if I’m doing it right though.

Regards,
Allen

4

Hi,

I watched the “Introduction to the DreamFactory Admin Console” here and on 5:10, it is shown in the video that you can add filters to access by entering the column name in the Field, then choose an operator and then enter a value in the Value field. Based from what I understand on the video, in order for the request to succeed, it should meet the condition set in the filter.

In my case I set the Field to “is_sys_admin”, then I set the operation to “=”, then I entered a value of “false”. What I’m hoping this would do is that when a request is made with a payload having a value of “true” for the “is_sys_admin” field, it should fail. However this is not what’s happening as I am still able to successfully POST a payload with a “is_sys_admin” value of true.

Appreciate your feedback on this.

Thanks,
Allen

5

As Ben implied,

server-side filters are only supported for service access, not system component access, at this time. Filtering on system components was implemented in the UI but not in the backend. As mentioned in the docs, filtering was implemented originally to provide DB service control. It’s not intended to restrict system components.

If you’re concerned about someone POSTing "is_sys_admin":true I recommend writing a script on system.user.post.pre_process that strips all values from the POSTed body except for "email".

6

Thanks for the clarification.