RestAPI: how to restrict query results to data belonging to logged in user?

[Alexei Vinidiktov]

Hello,

How can I restrict access via RestAPI for the user such that they can only get their own records (those that have the field user_id matching their user id)?

For example, I have a a table named 'collections' that has a 'user_id' field, and I want my users to get only the collections that they created.

If they try to get someone else's collection, then they should get a 'not authorized' response.

As an extension, I would also like to allow for users to be able to get someone else's collection if its status is equal to 'PUBLIC'.

Here's the definition of my collections table:

db.define_table('collections',

Field('user_id', db.auth_user, notnull=True),

Field('language_code', length="3", requires=IS_IN_DB(db, 'language.code', db.language._format), notnull=True),

Field('title', length=512, notnull=True),

Field('description', 'text', notnull=False),

Field('privacy', length=50, requires=IS_IN_SET(privacy_set), notnull=True, default='PRIVATE'),

Field('level',length=10, requires=IS_IN_SET(level_set), notnull=True, default='NONE'))

Thanks,

--

Alexei

[Jacinto Parga]

Hello, 

I used this workaround in a similar case:

@auth.requires_login()

@request.restful()

def myapi():

    def GET():

        response.view = 'generic.json'

        myreg = db(db.mytable.created_by==auth.user.id).select() # Maybe in your case mytable.user_id==auth.user.id

        if myreg:

            return dict(myreg=myreg)

        else:

            data ='{"Result" : "Still empty"}'

            return data

    return dict(GET=GET)

The extesion you said can be solved this way:

@auth.requires_login()

@request.restful()

def myapi():

   def GET():

       response.view = 'generic.json'

       myreg = db((db.mytable.created_by==auth.user.id) | (db.mytable.privacy=='PUBLIC')).select() # Maybe in your case mytable.user_id==auth.user.id

       if myreg:

           return dict(myreg=myreg)

       else:

           data ='{"Result" : "Still empty"}'

           return data

   return dict(GET=GET)

[Kevin Keller]

The "proper" way would be to define "scopes" in your application. Scopes define who has access to which data. 

You can also call it roles or tags or whatever. 

Scopes is the term that is used by OAuth/OpenID connect, which is usually used to secure APIs. 

Normally you would get an OpenID (OIDC) ID Token as JWT when you login. 

Once you have that you would read that tokens contents and look for the scopes in the token and match those scopes with which the user shall access your data.

Similiar to what you did here with the workaround to match the user.id to the data. 

I suppose you can extend this examlple/workaround to used custom auth fields or the roles fields provided by web2py. 

Some applications dont use scopes but so called claims from the JWT token. 

Claims is extra info about a user such as first, lastname phonenumber etc. that can be extracted from the token. 

They put user roles in the tokens claims and match them with the applications rest api against the database. 

Similair to what you did. 

But claims are not supposed to be used for that normally, that is what scopes are for. 

Claims are just used to "contextualize" a reqiest for the API i.e. fetch relevant information for the requestor if the requestor is for example from Europe fetch all infos for Europeans from the database, 

if from another continent, fetch other data. 

I have not seen Web2py used in this way, but there you go. 

Just though this info may be interesting. 

I found this example / workaorund super useful. 

Will also use it :). 

Seems to just get the job done quickly. 

On Wed, May 27, 2020 at 6:18 PM Jacinto Parga <jpa...@gmail.com> wrote:

Hello, 

I used this workaround in a similar case:

@auth.requires_login()

@request.restful()

def myapi():

    def GET():

        response.view = 'generic.json'

        myreg = db(db.mytable.created_by==auth.user.id).select() # Maybe in your case mytable.user_id==auth.user.id

        if myreg:

            return dict(myreg=myreg)

        else:

            data ='{"Result" : "Still empty"}'

            return data

    return dict(GET=GET)

El sábado, 23 de mayo de 2020, 10:17:44 (UTC+2), Alexei Vinidiktov escribió:

Hello,

How can I restrict access via RestAPI for the user such that they can only get their own records (those that have the field user_id matching their user id)?

For example, I have a a table named 'collections' that has a 'user_id' field, and I want my users to get only the collections that they created.

If they try to get someone else's collection, then they should get a 'not authorized' response.

As an extension, I would also like to allow for users to be able to get someone else's collection if its status is equal to 'PUBLIC'.

Here's the definition of my collections table:

db.define_table('collections',

Field('user_id', db.auth_user, notnull=True),

Field('language_code', length="3", requires=IS_IN_DB(db, 'language.code', db.language._format), notnull=True),

Field('title', length=512, notnull=True),

Field('description', 'text', notnull=False),

Field('privacy', length=50, requires=IS_IN_SET(privacy_set), notnull=True, default='PRIVATE'),

Field('level',length=10, requires=IS_IN_SET(level_set), notnull=True, default='NONE'))

Thanks,

--

Alexei

--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups "web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to web2py+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/web2py/a01f1311-adfe-4b95-9200-14afe29c9e5b%40googlegroups.com.

[Jacinto Parga]

Hello, 

yes you are right.

Are these tools not enough for the aproach of "scopes" http://web2py.com/books/default/chapter/29/09/access-control#Authorization , http://web2py.com/books/default/chapter/29/09/access-control#Decorators  and http://web2py.com/books/default/chapter/29/09/access-control#Authorization-and-CRUD ?

I mean you are talking about allow certain users to access certain information in some tables. You are talking about access control and permissions. Something like the example from the book:

Assuming the following definitions:
>>> from gluon.tools import Auth
>>> auth = Auth(db)
>>> auth.define_tables()
>>> secrets = db.define_table('secret_document', Field('body'))
>>> james_bond = db.auth_user.insert(first_name='James',
                                     last_name='Bond')
Here is an example:
>>> doc_id = db.secret_document.insert(body = 'top secret')
>>> agents = auth.add_group(role = 'Secret Agent')
>>> auth.add_membership(agents, james_bond)
>>> auth.add_permission(agents, 'read', secrets)
>>> print auth.has_permission('read', secrets, doc_id, james_bond)
True
>>> print auth.has_permission('update', secrets, doc_id, james_bond)
False

@auth.requires_permission('read', secrets)
def function_four():
    return 'you can read secret documents'

Here is another example form the book:

def post_comment():
   form = crud.create(db.comment, onaccept=give_update_permission)
   query = auth.accessible_query('read', db.comment, auth.user.id)
   comments = db(query).select(db.comment.ALL)
   return dict(form=form, comments=comments)

The permissions names enforced by :

crud.settings.auth = auth

are "read", "create", "update", "delete", "select", "impersonate".

To unsubscribe from this group and stop receiving emails from it, send an email to web...@googlegroups.com.