This question was closed Nov 15, 2017 at 02:14 PM by Sid for the following reason:
The question is answered, right answer was accepted
BaaS allows user to POST even if the permission is set to GET only.
Hello All, I am creating a collection say 'orders' in BaaS. The goal is to create a User who has only GET permission and should not be able to create / update the collection. Here are the steps:
1. Created a New App in Baas.
2. Created a new collection Orders.
3. Created a Role-1 with Read Only permissions (only GET)
4. Created a User-1 and assign Role-1 to it.
I generate a token using grant_type = password and successfully gets a token back.
Using this token I fire a GET on postman and successfully gets the orders.
However, when I try to to POST the data, the Baas still allows me to create new Order (even though the User-1 as only GET permission)
Is there any step I am missing here ?
Thanks
Syd
Are you certain that your permissions are set as you describe?
And are you certain that you are using the same token in each case?
To check the roles & permissions in BaaS, you can visit
https://appservices.apigee.com/#!/roles
Can you show us what you see there? I want to see all the roles defined, and then for the User-1, I want to see all roles attached to that user.
Alternatively, invoke the API to request those permissions, like this:
curl -i https://apibaas-trial.apigee.net/ORGNAME/APPNAME/roles/ROLE/permissions
I want to see that output for each role in the app. And then also:
curl -i https://apibaas-trial.apigee.net/ORGNAME/APPNAME/users/User-1/roles
You will need to provide appropriate authentication credentials there , for those queries. You can use the app credentials. That means you must append query params client_id and client_secret to that url.
curl -i https://apibaas-trial.apigee.net/ORGNAME/APPNAME/users/User-1/roles?client_id=foobar\&client_secret=bahBlag
Best Answer
@Syd
On your BaaS under role section as shown on the picture 1.png, remove all the default role and be left with the role you created and set your permission path to /* or any wild card of you choice
.
Under the user section, select your user then under Groups,Roles and permissions select role and select your role eg. 2.png. It should be able to get only
Hello @Dino & @Nkcubeko Jamela : Thanks for your looking into it. I started fresh & followed the steps you guys mentioned. Its working as expected. However I am not sure what I was doing wrong earlier. Probably some oversight on my end. Attaching my steps as screenshots in the zip which I executed today and it worked just fine :-) Kindly review if you get a chance.
Thanks Again
Syd
steps1-6.zip
I observed that if I delete 'guest' , 'default' roles then it works, else it does not.
