Set fully secured DB permission for different kind of users ("Read", "Read and Write")

Thu Jun 26, 2014 10:35 pm

Hi,
After review the docs and Q in support area, I still have unclarity regarding the right way of fully secure the data and permission of my DB.

In my application there are 2 users only:

User that can "Read" the information from DB (read the data from DB and display it on screen),
I will use single user for this since log in is not required, this user is only for getting DB "Read" permission only.
User that can read/write/edit/delete records (admin)

In that case my DB design goal is the following:
Provide the ability to access the DB in "Read" only mode,
means that the users that will access to the DB will be able to read the data from collections and that's it! (cannot edit or ADD new records).
REMINDER: In my application all users will use the same User since this user is only for DB protection, nothing else unique that I need per user.

1.a. Block the application users that has "Read" only access to:
1.a.1 - Add additional User with full permissions to Users collection and by that get full control on DB.
1.b.2 - Get the list of existing Users that saved in the collection.
Provide the ability to access the DB in "Read" and "Write" mode (Admin access), means that the users that will access to the DB will be able to read and write data from/to collections.

Based on all the information that I read and tested:
To handle item #1 we need to do the following steps:
Create user in Users collection.
Set collection as secured
*Access all collections and add restriction for this user that he will not be able to read any record (and this needs to be done on record level!)
Till here - OK, the user can only read the rows data and cannot edit it.

The Issues:
This user CAN add new record to the collection (with ANY permission that he wants!!!).
This user CAN add new User with full permission to the application!!!!
Need to add permission per record to support it instead doing it on collection level
*Set the collection permission as "Read" only will not solve since I have Admin user that needs Write permission also.

To handle item #2 we need to do the following steps:
Create user in Users collection.
Set collection as secured
*Access all collections and add full permission to this user (and this needs to be done on record level!).
Till here - OK, the user can Read and Write.

The Issues:
Need to add permission per record to support it instead doing it on collection level.

Since all above items I cannot identify the right way to define the users and collections to support FULLY secured DB access.

Can you review and let me know the right way to achieve all above.
In addition I saw that in case I'm using the same DB User for all application users they will get the same token in case it still alive.
Is there any issue with that?

Reference that I used:
Appery docs (http://devcenter.appery.io/documentat...)
Related post - "how_to_set_database_permission_correctly" (https://getsatisfaction.com/apperyio/...)

Thanks

Fri Jun 27, 2014 3:30 am

Hello Yaniv,

To grant access to reading/ writing you can use ACL http://devcenter.appery.io/documentat...

[quote:] In addition I saw that in case I'm using the same DB User for all application users they will get the same token in case it still alive.
Is there any issue with that? [/quote]
It's secure.

Don't hesitate to ask us if you have any unclarity

Fri Jun 27, 2014 11:20 am

In the link you direct us to Users table,
In this table event if I add the following permission to the ACL all issues in the original post exists (User can read and write).

ACL permission that was tested on given user in User table (to allow Read only access)
{"":{"read":false,"write":false}}
{"":{"read":false},"53ac7f95e4b07420882b3ead":{"read":false,"write":false}}

Fri Jun 27, 2014 5:27 pm

Hello Yaniv,

Please try this acl for permissions: reading for all, edit and read only for user with id=53ac7f95e4b07420882b3ead

code{"*":{"read":true},"53ac7f95e4b07420882b3ead":{"read":true,"write":true}}/code

Sat Jun 28, 2014 9:49 pm

Tried, same issue, let me try to explain it again:

I have DB that contains many collections,
In addition I have 2 type of users in the system:

ReadOnlyUser
ReadWriteUser (admin)

I want to give read only permission to user #1 for all collections and read write permission to user #2 for all collections.
IMPORTANT: I want to give this permission on User level and not in each row in each collection!

To simulate this i created iTestDB (shared with you),
This DB contains 2 users, ReadOnlyUser and ReadWriteUser (pass: 0000 for both)
In addition I added few tables with data (for those tables ACL column in empty).

Now I did the following:
Set permission for both users in User collection (read to all, read and write to ReadWriteUser):
{"*":{"read":true},"53af328be4b07420882b42ee":{"read":true,"write":true}}
Log in using the service test with user ReadOnlyUser - in order to get the "X-Appery-Session-Token".
Invoke query service for table GEN_INFO using ReadOnlyUser token,
Get the response - working OK.
Invoke create service for table GEN_INFO using ReadOnlyUser token,
New row added - Error (not allowed since this is read only user).

What need to be set/changed in order to make it work?

Mon Jun 30, 2014 1:25 am

[quote:]

Invoke create service for table GEN_INFO using ReadOnlyUser token,
New row added - Error (not allowed since this is read only user).
[/quote]

Please clarify do you use ReadOnlyUser token here?
As only ReadWriteUser has permissions to write (create) in this Collection .

Mon Jun 30, 2014 4:32 am

As mention in step 2, I getting ReadOnlyUser token and invoke Create service with it and new row added.
Keep in mind that the end user can get this token and do with it what ever he wants.
So from security aspect the DB should block this kind of operation.

Wed Jul 02, 2014 8:03 am

Hello Yaniv,

You cannot set permissions to the collection in Appery.io . You can do it only to separate entries.
As an option, you can use the server code as a proxy for calls to the dB (http://devcenter.appery.io/documentat...).

Wed Jul 02, 2014 9:53 pm

I'm sorry but something here is really not clear to me.
The goal here is that we will have 2 type of users:

Read Only
Read and Write

For that we are setting user with "Read Only" permission in the DB but actually somehow this user can even Write to the DB.
Isn't it huge security breach?! think what can be done due to this (create user with full permission, query all DB etc).

You suggested to use server code to enforce it (keep in mind that due to that we need to rewrite all application existing services, mapping, JS etc).
Anyhow, I did it through Server Code and manage to reproduce it also there (Read Only user create new objects in collection), script is shared ("ReadOnlyUserWriteTest").

Server Code Script example:
var dbId = "xxxxxxxxxxxxxxxxxxxxxxx";
var username = "ReadOnlyUser";
var password = "0000";

var token = DatabaseUser.login(dbId, username, password).sessionToken;
Collection.createObject(dbId, "GEN_INFO", {"Name":"233333333", "PhoneNum":"123", "Age":"22"}, token)._id;

Can you please double check it since if this is the case it means that our DB exposed to anyone with full permissions.

Thanks

Thu Jul 03, 2014 1:32 pm

Yaniv,

Rights to access to collections in databases for users are not set in Appery.io . There is only the right to access to individual records (implemented by ACLs).
In the server code, you should deny to write to users with the "read-only" on code-level (do not make entry if user has only "read only" access)