Rank 1
I have a mobile game and store sensitive information about the users in a large table. This table has hundreds of thousands of rows. Each row has the user id that the row is for.
One premise of the game is that you can play based on your information in the table or off of one of your friends information.
Friends are determined by Facebook friends that also play the game. So, this is ever changing.
I'd like to implement a security strategy that only allows you or your friends to see your information. I don't think this is possible with roles because the friends list can change so much (new friends added in Facebook, new friends that access the application, etc.). So, I am thinking it needs to be done with custom Business Logic. But, I don't even know where to start to figure out how to implement a security feature like this in custom Business Logic.
So, my question is 2-fold:
1. What are your thoughts on how to implement the security functionality I described above? Any examples?
2. If what I described above is not possible, is there a security strategy where I can at least prevent someone from doing a Select All query from this sensitive table? That will at least allow me to prevent someone from getting all our data.
Thanks in advance,
Greg
1 Answer, 1 is accepted
To accomplish this you may want to review the access control section and the available type-level and item-level permissions here. You may also involve custom user Roles. They may be beneficial for you to make a robust solution. You can also review this forum post for suggestions how permissions and roles can be used.
Also, here is a simple example setup with server-side logic (Cloud code for Data). Bear in mind this is just a sample code and you will need to adjust it to your specific needs and setup or elaborate a new one using the available capabilities in Telerik Platform.
1. First you need to create a Groups (for example with Private or more strict permissions) data type (See Groups_Structure.png). It will be used to hold IDs of users that are friends. You can add Users to the participants when they become friends, for example, and the Owner is the affected user. This way when two people become friends anywhere they both will get an entry in participants for their respective group.
2. You need to add one more field to your data type in the large table, it will hold the Id of the user it belongs to (or you can use the Owner field if applicable, you can read about this special role here).
3. Add the following cloud code in the beforeRead event of the LargeDataType:
Everlive.Events.beforeRead(function(request, context, done) { //Get the ID of the user that has made the request. var userID = request.principal.id; //Check if the user comes from Portal (You are browsing through the Platform UI) if(request.principal.type === 'tfis'){ done(); } //From the Groups select the ID of the group this user belongs to. Everlive.Sdk.withMasterKey().data('Groups').get({Owner: userID}).then(function(data) { //Check if the current user can read any LargeDataType based on his security group. var idsFilter = []; //Add the requesting user id so he sees his entries. idsFilter.push(request.principal.id); //If he has any participants in his group entry (he has friends) add their ids to the filter. if(data.result[0]){ _.each(data.result[0].participants, function(item){ idsFilter.push(item); }); } //Add all the ids. request.fiterExpression = {"ownerID" : { "$in" : idsFilter}}; //Call done() to continue with the request. done(); });});How it works:
When a user makes a request to LargeDataType it will check the user Group and use the IDs of his friends as a filter expression when searching returning only results that contain his ID and that of his friends.
I hope this helps.
Regards,
Pavel
Telerik