User permissions for Cloud Functions

2 posts, 0 answers
  1. Jonathan
    Jonathan avatar
    4 posts
    Member since:
    Jul 2016

    Posted 27 Aug Link to this post

    I have some data for which users can set a flag to specific other users their status. So I have a data type named Availability which contains data for a specific user with a field called contactAvailability which is an array of objects and is read by my app when this users logs in. Now I need other users to be able to update their status in contactAvailability, but from a security POV I want them to be able to update only the object in the array that is relevant for them (so they won't be able to update the status of other users).

    To achieve this I though it best to use a Cloud Function. However, I am assuming that a Cloud Function will always run as the user that is logged in when invoking the function right? Is it possible to run it as a user that has access to all objects even when permissions are set to private? If I set the permissions to public then someone can always alter all data from any client right?

    Is there another way I can achieve this?

    Thanks!

     

  2. Anton Dobrev
    Admin
    Anton Dobrev avatar
    539 posts

    Posted 29 Aug Link to this post

    Hello,

    You may consider using the different flavors of the JS SDK instance as explained here. For the current case it appears that you need the withMasterKey initialization.

    Yes, it would be better to keep the permissions over a type as strict as possible and in such cases expose a small portion of functionality when needed over a cloud function.

    Also, revise the permissions who is able to contact the cloud function as well.

    Hope this helps.

    Regards,
    Anton Dobrev
    Telerik by Progress
     
    Everlive is now Telerik Backend Services, and is part of the Telerik Platform.
     
Back to Top