Security

Security

When you access the Appery.io database via the REST API key, access can be restricted by the ACL. The ACL is formatted as a JSON* object where the keys are either object IDs or the special key *** to indicate public access permissions. The values of the ACL are permission objects: JSON objects whose keys are the permission name and a value that is always true.

For example, if you want the user with ID 5278cafce4b01085e4b7945a to have to read-and-write access to an object, as well as make the object publicly readable, the corresponding ACL is:

{
   "54539efee4b05c4ac3b9737f": { "read": true, "write": true },
   "*" : {  "read" :  true }
}

If you want to hide any record from a specific user, set the read property to false. Note that the * symbol has a priority, so you need to remove it from the ACL:

{
 "54539efee4b05c4ac3b9737f":{"read":false,"write":true}
}

In the database editor, it looks like:

You can still read and modify ACLs via the REST API, just by accessing the ACL key of an object.
For instance, the following example updates the ACL data of one of the tasks. Log in to the database, as shown in signing in.
Set up the service as you would for an object update. You need to add the X-Appery-Session-Token, (which you get upon login), and the ACL field with the type of object:

curl -X PUT 
   -H "X-Appery-Database-Id: 544a5cdfe4b03d005b6233b9" 
   -H "X-Appery-Session-Token: c6771e2f-44ae-42ea-9946-5fa320578233" 
   -d "{"acl":{"*":{"read":true,"write":false},"5588396fe4b0b40eb7839d0a":{"read":true,"write":true}}}" 
   https://api.appery.io/rest/1/db/users/54539efee4b05c4ac3b9737f

Remember that if the user doesn’t have permission to write the object, it cannot be updated. So you have to change the write property from the database editor.

If you want to access your data and ignore all ACLs, you can use the X-Appery-Master-Key header instead of X-Appery-Session-Token provided in the database Settings tab:

For security, the master key should not be distributed to end users, but if you are running code in a trusted environment, feel free to use the master key for authentication.