curl access security to Users collection

Thu Mar 17, 2016 12:52 pm

Hello,

You are right,

You can disable access to that collection to all users:

Or use Server code for users' registration feature. Could you clarify, What functionality do you need?

Thu Mar 17, 2016 5:35 pm

Hello,

I have unchecked those options in Users permissions, but I can still execute curl command and create a new row in user collection.

Fri Mar 18, 2016 10:56 am

You are right, you don't need a session token for the login service, because login service provides you that. (If it used session token - you couldn't get access to that API)

Please specify the question, what are you trying to do? Do you want to disallow create users with the curl? It is impossible.

Fri Mar 18, 2016 11:04 am

The question is in my first message.

So can anyone create rows if you know the database id?

The answer I assume is yes

If you know the db id one can create a script that creates thousands of rows.

Fri Mar 18, 2016 11:48 am

We have reported it to our developers team and will get back to you with the update as soon as possible.
This can take some time.

Thu Mar 31, 2016 9:54 am

\""password\"":\""p1\""}"" https://api.appery.io/rest/1/db/users /code So can anyone create rows if you know the database id? For custom collection there is a secure collection option. How should this be done for the Users collection? "

Thu Mar 31, 2016 9:54 am

Hello Guus,

You are able to disallow to create users anywhere except Appery.io UI, by switching off it on Social connections tab:

Also you can use secure proxy (https://devcenter.appery.io/documenta...) for all your requests. Proxy will replace your key to the Database Id, so nobody can't get it's value. If you need to create users in your app - you have to create one more app, like an admin app.

Mon Jul 20, 2020 3:45 pm

\""password\"":\""p1\""}"" https://api.appery.io/rest/1/db/users /code/pre and it doesn't work at all. What headers parameters do you using for session token?"

Mon Jul 20, 2020 3:45 pm

\""password\"":\""u\""}"" https://api.appery.io/rest/1/db/users curl -X POST -H ""X-Appery-Database-Id: 56e68871e4b08356f82ded8c"" -H ""Content-Type: application/json"" -d ""{\""username\"":\""u2\""