FatFractal customer forums



Author Topic: Object Security Questions  (Read 2067 times)

ysp

  • Newbie
  • *
  • Posts: 12
    • View Profile
Object Security Questions
« on: January 09, 2014, 11:29:12 AM »
Are any of the following possible:

1) Hide the 'createdby' field of an objects metadata when it is read: either by setting the metadata within the createFromUri call when it is created, or disabling the metadata load within the getObjFromUri call when it is read? (I think I can do this by changing the metadata on the CREATE event in custom code but if possible I'd like to do it in one call)

2) Set permissions to an object to one of either an FFUserGroup or 'loggedin' based on the users choice at runtime. For example, the user creates an object 'Room' and determines if everyone can see the room or just his friends, then saves the object. I could set the default permissions to "read: object.permittedUsers" (reference to \FFUserGroup), but if the user selects to share with all 'loggedin' users, would I have to then set object.permittedUsers to reference an FFUserGroup that contains all users? (This seems like a lot of overhead) Or is there a way to simpler way?

Best,


gkc

  • Administrator
  • *****
  • Posts: 375
    • View Profile
Re: Object Security Questions
« Reply #1 on: January 09, 2014, 11:37:17 AM »
1) Yep. Write a RETRIEVE event handler. For example:
Code: [Select]
CREATE HANDLER FFUserGetHandler POST ON /FFUser RETRIEVE AS javascript:require('scripts/FFUserEventHandlers').FFUserGetHandler();
Code: [Select]
exports.FFUserGetHandler = function() {
    var retrievedUser = ff.getEventHandlerData();
    var currentUser = ff.getActiveUser();

    if (currentUser.guid !== common.SYSTEM_USER_GUID
        && ! common.isAdminUser(currentUser)
        && currentUser.guid != retrievedUser.guid)
    {
        // obfuscate 'email'
        delete retrievedUser['email'];
    }
};

2) Yep. Set default permission as
Code: [Select]
PERMIT read:loggedIn ON /MyCollectionand then set per-object permissions (which supersede the default permissions) using the setPermissionOnObject methods

ysp

  • Newbie
  • *
  • Posts: 12
    • View Profile
Re: Object Security Questions
« Reply #2 on: January 09, 2014, 12:19:38 PM »
Thanks, I'll give it a shot!

...regarding API calls:

1) Does the FFUserGetHandler code you posted count for 2 api calls (ff.getEventHandlerData(), ff.getActiveUser())?

2) Would setting the permissions this way require 2 calls ? (1 to create the object and 1 to set the permissions)

best,





gkc

  • Administrator
  • *****
  • Posts: 375
    • View Profile
Re: Object Security Questions
« Reply #3 on: January 09, 2014, 03:12:23 PM »
1) No. Some server-side operations do not count towards your API count - basically the ones that don't involve hitting the datastore or driving network traffic. Your question has made me realize that this is not clear, so thank you - I've updated the documentation for the server-side SDK. See here http://www.fatfractal.com/prod/linked_files/FF-Javascript-Server-Side-Docs/global.html#toc18 for getEventHandlerData() - all functions which do not increase the server-side API call count now say as much.

2) Yes, that's correct.

ysp

  • Newbie
  • *
  • Posts: 12
    • View Profile
Re: Object Security Questions
« Reply #4 on: January 09, 2014, 04:54:48 PM »
awesome, thanks for clarifying.

 

Copyright © FatFractal customer forums