ACL is confusing me. I request some explanation.

0 votes
Hi,

The FAQ N°9 explain that if "user A has created a JSON object, and default permission is set to PULIC READ, all app users would be able to access to his JSON object". I created a TEST app with ACL and default PULIC READ. What confused me is that I was able to add a simple JSON document using only API Key and SECRET key. So who is able to access this document ? does it belong to someone ?

In the FAQ "Security" it's written that "In ACL enabled app, it is required to pass sessionId of user who is making call." I haven't used any sessionIs as I don't have any user in the TEST db. That did not prevent me from adding my simple JSON doc. So required or not ?

The same page use the the term PUBLIC/READ or PUBLIC/WRITE or PUBLIC/ALL. Are they reserved ROLE ? What do you mean by ALL ? WRITE should obvously grant READ access ... Does ALL mean there are others reserved ROLES ? The "Create User With Role" API example, add Admin, Manager, Programmer, Tester roles. Are we talking about the same kind of role and ACL ? I guess not ...

And finally, with ACL, the app got an Admin Key. I found no reference to that Key inside any services from the API documentation. I feel a litle bit silly to be so confused. Hope someone could explain me all that stuffs. I wish the documentation should be a little more detailed with real world example.

Thanks

[EDIT] typo.
asked Apr 16, 2017 in Unity by starcmd (29 points)
edited Apr 17, 2017 by starcmd

1 Answer

+1 vote
 
Best answer

Hi Starc,

Thanks for your valuable feedback, will definitely work on it. 

Regarding your query, please find my answer inline and let us know if any other help required from our end:

What confused me is that I was able to add a simple JSON document using only API Key and SECRET key. So who is able to access this document? Does it belong to someone? In the FAQ "Security" it's written that "In ACL enabled app, it is required to pass sessionId of user who is making call." I haven't used any sessionIs as I don't have any user in the TEST db. That did not prevent me from adding my simple JSON doc. So required or not ? 

Ans: It is because of the document which you insert in Storage service is inserted as a ANONYMOUS USER. In this case, anyone can access this document and update it. Using the session id or admin key document is bind with the owner name for whom the session is associated and later on only that user/Admin(Using the admin key) will have access to update the document.

Ques: The same page use the the term PUBLIC/READ or PUBLIC/WRITE or PUBLIC/ALL. Are they reserved ROLE ? What do you mean by ALL ? WRITE should obvously grant READ access ... Does ALL mean there are others reserved ROLES ? The "Create User With Role" API example, add Admin, Manager, Programmer, Tester roles. Are we talking about the same kind of role and ACL ? 

Ans: Role in user service is not related to ACL. It is a role which you assigned to your app users. For example: If you have E-Commerce app over there you have two type of user. 1 is Buyer and 2nd is Seller. So you can assign role as buyer and seller.

Yes, you are right if you have PUBLIC WRITE access that means you have READ access as well. It is just a representation of Form and I would suggest my team to have a look into it and remove it they can.

Please feel free to let me know if you need any other help from my side.  

For more details on ACL, please go through this tutorial

Regards,

Himanshu Sharma

 

answered Apr 17, 2017 by hs00105 (2,005 points)
selected Apr 17, 2017 by starcmd
This is a really good answer. Thanks.
The existence of the ANONYMOUS USER is the key to understand...
And finally, yes I have found a reference to the Admin Key in your tutorials (Security), that are less a tutorial than a FAQ or a Reference !

(Sorry for the lack of line feed (?) in my previous post)
Let me know if any other help required from my end. I will be happy to help you!

Regards,
Himanshu Sharma
Download Widgets
Welcome to ShepHertz Product line forum, where you can ask questions and receive answers from the community. You can also reach out to us on support@shephertz.com
...