Forum | Appery.io

Hello,
If I omit binding sessionToken in request to database while creating new object then this object is created with empty ACL and thus is accessible by all application users. Which is not good and undesired behavior - even if I properly handle sessionToken in application no one can restrict user from sniffing and modifying requests and send them directly without token. How can I protect my application database from creating or updating objects without ACL?

Hello! Yes, this is how ACL works. [quote:]"How can I protect my application database from creating or updating objects without ACL"[/quote] it depends on your app logic. You need to pass sessionToken and needed ACL while creating/updating records.

It has nothing to do with app logic, i'm talking about requests which may come outside of my app - if they don't include sessionToken then appery.io datbase itself allows to write objects without ACL and these objects are shown to all app's users.
I'm just wondering how do you deal with this.

Thx!

There are a few ways:
1) You can create in collection owner_id field and save there user _id (retrieve _id from login service) and show user only that data where _id is present in owner_id field.
2) To save to DB you have to know Appery-Database-Id (you don't have to use it in app, spesify it somewhere), you can use server code as proxy for all requests to DB http://docs.appery.io/documentation/b...

Ok thx, so Server Code is the only way to control access and I will have to create server script which will act like generic proxy for all requests. Doesn't sound very exciting)

Thank you.

Unfortunately this is the only one way for now and it's not easy, we discuss this problem to check what we can do. I'll update this post if recieve any new information.

Maryna, thank you very much for help!

Hi Vladimir,

We are working on a feature that will allow to keep API keys on the server.

Hello again!
Just in case if anyone is also worrying about app's data security - I have created solution which satisfied my needs:

• completely hide database id to restrict direct access to database interface;

• create sandbox environment in database for every user, so each can modify only it's own data, nothing more.

  It's database proxy as Server Code with easy integration in app. The only thing which haven't try to beat is file uploading throught server code. I'm just wondering why does server code rejects non GET, POST requests and non text content types?.. Anyway in my case creating public database for storing files was enough.

  Here is the script:
  https://github.com/vlfesko/appery-dbp...

  Thank you!