Restrict mongoDB data to document's owner

Antonello_Pasella · March 22, 2016, 4:07pm

Hi all,
is there a “golden way” to restrict each user to its own data?

Let’s talk about “game achivements” by my registered user.

Him will need to:

create records in a mongodb collection called Achivement
edit this records
view only his records

I saw the user_id_on_create and api_read_only fields but I’m not able to figure out this.

Is only a schema topic or also a service security one?

thanks!

Antonello

toddappleton · March 23, 2016, 1:15pm

We have some blog posts on this. You can create a server side filter on Achievement where the owner id field of the record = the value of the lookup key {user.id}. This is done as part of the role service access settings.

These were written for DreamFactory 1.x but the concepts are the same for 2.x.

Antonello_Pasella · March 23, 2016, 3:36pm

great posts!

Thank you!

Topic		Replies	Views
Record-level security: advanced filters and non-GET requests REST API	2	3656	October 21, 2015
Enduser Authentication - Restriction to sql Data Authentication & Security	1	1704	January 26, 2016
How do i filter/restrict a table based on a table field? Server-Side Scripting	1	1762	February 8, 2017
How to implement data access based on a table with user's permissions Authentication & Security	1	5197	October 23, 2014
How to check a user's permissions on an external database? REST API	4	1706	February 17, 2015

Restrict mongoDB data to document's owner

Related Topics